Date: November 2025
Vendor: Vizetto Inc.
Application: Reactiv SUITE (IWB and WALL)
1. OVERVIEW
Reactiv SUITE is an enterprise collaboration platform for interactive displays and digital whiteboards that integrates with Microsoft Office 365 for:
- Individual user OneDrive file access
- Meeting room calendar integration
- SharePoint document access
Authentication Method:
OAuth 2.0 / OpenID Connect via Microsoft Authentication Library (MSAL)
Key Security Features:
- User credentials handled entirely by Microsoft (never by Reactiv SUITE)
- Tokens encrypted using Windows Data Protection API (DPAPI/AES-256)
- Integrates with standard SSO infrastructure (e.g., OKTA, Azure AD)
- No Office 365 content transmitted to Vizetto servers
2. AZURE AD APP REGISTRATIONS
Reactiv SUITE uses two separate multi-tenant Azure AD applications:
OneDrive Integration (Individual Users):
- App Name: Reactiv IWB Attendees
- App ID: 3ebd641f-ef5a-428b-9503-f8953d9ccd7c
- Redirect URI: http://localhost
Calendar Integration (Meeting Room Boards):
- App Name: Reactiv Board Calendar
- App ID: ba340307-1db6-4c03-ab0c-03060861aa72
- Redirect URI: http://localhost
3. MICROSOFT GRAPH API PERMISSIONS
3.1 OneDrive Integration (Delegated Permissions)
- User.ReadWrite – Read/update user profile
- profile – Basic profile (name, email)
- Files.ReadWrite – Access user’s OneDrive files
- Calendars.Read – Read user’s calendar
- Sites.ReadWrite.All – Access SharePoint sites user has access to
- offline_access – Maintain access via refresh tokens
Data Access Scope: Limited to data the authenticated user already has access to. No access to other users’ data, email, or admin-level information.
3.2 Calendar Integration (Delegated Permissions)
- Calendars.Read – Read room calendar events
- User.Read – Read room account profile
- email – Read email address
- profile – Basic profile information
Data Access Scope: Limited to the specific room/resource mailbox that authenticates. Displays meeting titles, times, attendees, and join URLs only.
4. AUTHENTICATION FLOW
- User initiates sign-in from Reactiv SUITE
- System browser opens to login.microsoftonline.com
- Organization’s SSO provider (e.g., OKTA, Azure AD) authenticates user
- Microsoft returns OAuth token
- Token encrypted with Windows DPAPI and stored locally
- Application uses token for Microsoft Graph API calls
Token Storage Location:
(i.e., C:\Users\<username>\AppData\Local\Vizetto\MsGraphData\)
– UsersO365.msalcache.bin3
– BoardO365.msalcache.bin3
Token Lifecycle:
- Access Token: 1 hour expiration
- Refresh Token: 90 days expiration
- Automatic refresh handled by MSAL library
5. LOCAL DATA STORAGE
Application Settings:
(i.e., C:\ProgramData\Vizetto\)
– reactivsettings.json
– Log.txt
User Data:
(i.e., C:\Users\<username>\AppData\Local\Reactiv SUITE\)
– Temporary file cache
– Thumbnail images
– Calendar event cache
– CEF browser cache
Data Stored:
- File metadata (name, size, date)
- Thumbnail images for previews
- Calendar event cache (offline display)
- Application preferences
Data NOT Stored:
- User passwords
- Full file content (only thumbnails)
- Email messages
- Other users’ data
6. NETWORK COMMUNICATION
6.1 Microsoft Services
Azure AD Authentication:
- URL: login.microsoftonline.com
- Port: 443 (HTTPS)
- Protocol: TLS 1.2+
- Purpose: User authentication
Microsoft Graph API:
- URL: graph.microsoft.com
- Port: 443 (HTTPS)
- Protocol: TLS 1.2+
- Purpose: OneDrive, Calendar, SharePoint access
OneDrive/SharePoint:
- URL: *.sharepoint.com
- Port: 443 (HTTPS)
- Protocol: TLS 1.2+
- Purpose: File access
6.2 Vizetto Services (Optional)
License Activation:
- URL: portal.reactiv.com
- Port: 443 (HTTPS)
- Data: Product key, computer ID, version number
- Frequency: Once at activation, periodic validation
- User Control: Required for activation
Usage Telemetry:
- URL: portal.reactiv.com/api/events
- Port: 443 (HTTPS)
- Data: Anonymous usage statistics (no PII, no O365 content)
- Frequency: Daily summary
- User Control: Can be disabled in settings
Software Updates:
- URL: updates.vizetto.com
- Port: 443 (HTTPS)
- Data: Current version number only
- Frequency: Hourly check (every 60 minutes)
6.3 Screen Mirroring Services (Optional Features)
AirPlay (Apple Device Mirroring):
- Protocol: mDNS/Bonjour + RAOP
- Ports: See Section 11.3 for complete port listing
- User Control: Opt-in feature, disabled by default
Miracast (Windows Device Mirroring):
- Protocol: Wi-Fi Direct / WFD
- Ports: See Section 11.3 for complete port listing
- User Control: Opt-in feature, disabled by default
Chromecast (Google Cast):
- Status: DISABLED – Pending third-party library security update
- Will not be active in current deployment
- Ports: TCP 8008, 8009 (when enabled in future)
Note: Screen mirroring features are optional and not required for Office 365 integration.
7. CORPORATE NETWORK COMPATIBILITY
SSO Integration:
- Uses system browser for authentication
- Compatible with enterprise SSO providers (OKTA, Azure AD, Ping Identity, etc.)
- Supports SAML and OpenID Connect federation
- No additional SSO configuration required
Proxy Server Support:
- Auto-detects Windows proxy settings
- Supports authenticated proxies (NTLM, Kerberos, Basic)
- PAC file and WPAD support
- Configuration: UseCEFSystemProxy setting (enabled by default)
SSL Inspection:
- Trusts Windows certificate store
- Compatible with corporate SSL inspection appliances
- Supports custom root CA certificates via Group Policy
- Configuration: UseCEFSystemCertificates setting (enabled by default)
Azure AD Conditional Access:
- Fully compatible with Conditional Access policies
- Supports device compliance requirements
- MFA enforcement via Azure AD configuration
8. SECURITY SPECIFICATIONS
Encryption:
- Token Storage: Windows DPAPI (AES-256)
- Network Transport: TLS 1.2 or TLS 1.3
- Certificate Validation: Full chain validation required
Code Signing:
- Publisher: Vizetto Inc.
- Algorithm: SHA-256 with RSA
- Certificate Authority: DigiCert
Session Security:
- 2-minute timeout for incomplete authentication
- Automatic token refresh
- User or admin can revoke access via Azure AD
9. SYSTEM REQUIREMENTS
Platform:
- OS: Windows 10 (version 1809+) or Windows 11
- Architecture: 64-bit only
Minimum Hardware:
- CPU: Intel Core i5 (6th gen) or AMD equivalent
- RAM: 8 GB
- Storage: 2 GB free space
- Network: 10 Mbps internet connection
Dependencies:
- .NET Framework 4.8
- .NET Runtime 6.0
- Visual C++ Redistributables (2015-2022)
- Microsoft Edge WebView2 Runtime
Libraries:
- Microsoft.Identity.Client (MSAL) 4.x
- Microsoft.Graph 4.x
- System.Security.Cryptography.ProtectedData 6.0
10. ADMIN CONSENT REQUIREMENT
Organizations may require tenant-wide admin consent due to security policies.
Required Admin Role:
- Global Administrator, Application Administrator, or Cloud Application Administrator
Consent URLs:
OneDrive Integration:
Calendar Integration:
Process:
- Admin clicks URL
- Signs in with admin account
- Reviews permissions
- Clicks “Accept”
- Consent granted for entire organization
11. FIREWALL REQUIREMENTS
11.1 Outbound Rules – Microsoft Services (Required)
Azure AD Authentication:
- Destination: login.microsoftonline.com
- Port: 443
- Protocol: HTTPS
- Purpose: User authentication
Microsoft Graph API:
- Destination: graph.microsoft.com
- Port: 443
- Protocol: HTTPS
- Purpose: API access for OneDrive, Calendar, SharePoint
OneDrive and SharePoint:
- Destination: *.sharepoint.com
- Port: 443
- Protocol: HTTPS
- Purpose: File access and document retrieval
11.2 Outbound Rules – Vizetto Services (Optional)
License Activation:
- Destination: portal.reactiv.com
- Port: 443
- Protocol: HTTPS
- Purpose: Product license validation
Software Updates:
- Destination: updates.vizetto.com
- Port: 443
- Protocol: HTTPS
- Purpose: Application update checks
11.3 Screen Mirroring Ports (Optional, if enabled)
AirPlay (Apple Device Mirroring):
- UDP Port 5353 – mDNS service discovery
- UDP Port 7000 – AirPlay server
- UDP Port 7100 – Data channel
- UDP Port 61875 – Audio channel
- UDP Port 29053 – Event channel
- UDP Port 2001 – Timing channel
Miracast (Windows Device Mirroring):
- UDP Port 7236 – RTSP streaming
Chromecast (Google Cast):
- Status: DISABLED – Pending third-party library security update
- Will not be active in current deployment
- UDP Port 35065 – Chromecast server (when enabled in future)
Note: Screen mirroring ports only required on local network if these features are enabled. Not required for Office 365 integration.
11.4 Inbound Rules
Office 365 Integration:
- None required (all connections are client-initiated outbound only)
Screen Mirroring (if enabled):
- Local network access required for device discovery and streaming
- No internet-facing inbound ports required
11.5 Automatic Firewall Configuration
Installer Behavior:
The Reactiv SUITE MSI installer automatically configures Windows Firewall rules during installation:
- Microsoft Services (O365): Outbound HTTPS (port 443) is typically allowed by default in Windows Firewall; no additional rules created by installer
- Screen Mirroring Services: If AirPlay or Miracast features are enabled during installation or first launch, the installer will:
- Create Windows Firewall inbound rules for required ports
- Scope rules to “Private” and “Domain” network profiles only (not Public networks)
- Use application-level rules (tied to ReactivSUITE.exe) rather than port-based rules where possible
- Request administrator elevation if needed to modify firewall settings
- Uninstallation: Firewall rules are automatically removed when Reactiv SUITE is uninstalled
Corporate Firewall Considerations:
- Windows Firewall rules handle local host-level firewall only
- Corporate network firewalls or edge devices must be configured separately by IT if outbound HTTPS filtering is in place
- Screen mirroring operates on local network only; no corporate firewall changes needed unless blocking local subnet traffic
Group Policy Management:
- IT administrators can pre-configure or override firewall rules via Group Policy if desired
- Application firewall rules can be centrally managed through Windows Defender Firewall with Advanced Security GPO settings
12. MONITORING & LOGGING
Azure AD Audit Logs:
- Monitor sign-ins for App IDs: 3ebd641f… and ba340307…
- Track authentication failures
- Review Conditional Access policy blocks
Application Logs:
(i.e., C:\ProgramData\Vizetto\Log.txt)
Log Retention:
- Azure AD: 30 days (P1/P2), export to SIEM for long-term retention
- Local logs: Rotated at 2 MB, 4 backup files retained
13. TROUBLESHOOTING
Issue: “Need admin approval” error
Resolution: Admin must grant consent via URLs in Section 10
Issue: Authentication timeout
Resolution: User must complete sign-in within 2 minutes; retry if needed
Issue: SSO not working
Resolution: Verify UseExternalBrowserForO365Auth setting enabled (default: true)
Issue: Proxy connection failure
Resolution: Verify UseCEFSystemProxy setting enabled (default: true)
Issue: Token/cache corruption
Resolution: Delete %USERPROFILE%\AppData\Local\Vizetto\MsGraphData\ (i.e., C:\Users\<username>\AppData\Local\Vizetto\MsGraphData\) and retry
14. CONTACT INFORMATION
Vizetto Technical Support:
- Email: techsupport@vizetto.com
- Documentation: https://vizetto.com/docs
- Support Portal: https://vizetto.com/support
Application Details:
- Version: Check via Help → About in application
- Installation: MSI package deployment
- Updates: Automatic check
END OF DOCUMENT
This document provides the technical specifications required for enterprise IT security review and network configuration. For additional information, contact Vizetto Technical Support.