Nextcloud 9 update brings security, open source enterprise capabilities and support subscription, iOS app

We’re excited to announce that our Enterprise Support Subscriptions are available! With the Nextcloud update available today come enterprise capabilities including Windows Network Drive storage support, Shibboleth/SAML authentication integration, theming capabilities and control over password policy. These provide the most important capabilities for enterprises, under an open source license and developed in an open and transparent way with direct feedback from prospective users. This release also fixes critical security issues discovered as part of our $5000 Security Bug Bounty Program. Together with TWSweb, developers of the popular Cryptocloud app, we announce a partnership to provide Nextcloud users with a capable client for iOS.

Enterprise capabilities

Windows Network Drive integration
  • SAML Single Sign-On Authentication (SSO)
  • Extensive logging and reporting capabilities
  • Windows Network Drive integration
  • Password policy
  • Easy branding and theming
  • Improved anonymous upload (former Files Drop)
  • Calendar and Contacts
  • Secure WebRTC Conferencing
  • Online Office integration

You can learn more about our capabilities on our feature page.

In the coming weeks, further capabilities will become available. These features are part of the core of Nextcloud or can be installed easily as apps, all available under an open source license. We believe that transparent development processes ultimately benefit users and customers, not only because more contributors makes for better code but the closer collaboration with partners enables a better alignment with the needs of users. We thus invite prospective users and customers to get involved in development.

Federated Cloud Sharing and the Open Cloud Mesh initiative

Yesterday, Nextcloud announced participation in the Open Cloud Mesh initiative. Under the umbrella of research collaborative GÉANT it aims to link researchers and universities in Europe, the Americas and Asia via a series of interconnected, secure private clouds. The project builds on the Federated Cloud Syncing protocol developed by Nextcloud contributors over the past years and already allows syncing between Nextcloud and Pydio servers, a first important step in breaking the barrier between the various public and private cloud silos.

Theming Nextcloud in half a minute.

We’ve published our plans for pushing this important initiative forward over the coming months.

The support you need to be successful

Our open approach extends to support. Nextcloud offer customers direct access to Nextcloud engineers, the latest knowledge and best practices. We provide technical expertise, guidance and collaboration with phone and chat contact. Pro-active security support helps customers identify and address vulnerabilities and harden their servers to protect the safety and integrity of sensitive data.

Our annual support subscription starts at 1500€ for 50 users and our offerings include options with up to 24/7 support and a 24 hour SLA with up to 15 years with Extended Life Cycle support. You can view our available subscriptions and their benefits on our enterprise pricing page.

For organizations or teams with less than 50 users, we recommend purchasing the spreedbox Business. This provides Nextcloud and web conferencing capabilities in a convenient and secure hardware appliance coming with a one year support contract.

The spreedbox offers a low-barrier entree to Nextcloud capabilities.


iOS and other clients

To provide the best possible experience to users on various platforms, we’re working with various partners. Today we announce that the makers of the popular Cryptocloud app provide the official Nextcloud client for iOS. This app can be grabbed from the appstore.

The Nextcloud iOS client supports all the needed capabilities like:

  • File handling like renaming, deleting and moving of files
  • Display of documents, photos, videos, audio files with previews
  • Favorite files to keep them synchronized and available offline
  • Automatic uploading of images taken with the phone camera

More abilities are under development and a new update to the Android app is coming soon!

Security Bug Bounties

Security is important for Nextcloud users and customers. This is why we released our Security Bug Bounty program, offering bounties up to USD 5000 for critical security issue disclosures. Among the highest payouts in the open source world, our offer has paid off and we’ve received reports from a number of high profile experts from the security community.

This program is a big part of what makes Nextcloud the most secure open source solution for file sync and share and with the release of enterprise capabilities and support options today, we make available a security and stability release of Nextcloud 9. We strongly recommend users to upgrade at their earliest convenience.

Customers can expect to be informed about security vulnerabilities and available workarounds or mitigation options as part of our service with a Enterprise Support Subscription.

Available now

You can get the latest release of Nextcloud on our install page and learn more about our Enterprise Support Subscriptions here and about our features here.

Notable Replies

  1. …so just to clarify… the enterprise features such as webrtc conferencing and Collabora integration… are these available to non enterprise users (ie users without a support subscription)?

  2. Of course, anyone can install them as of today. I’m preparing a blog about installing Spreed and we’ll do something with the Collabora once that is officially announced, too.

  3. This will be the case, at the moment this is a solution that is “good enough” for now. We will actively work on getting an app out that will be licensed as FOSS and allows contributions by external parties :slight_smile:

    Stay tuned! And any help of course welcome :slight_smile:

  4. And to add to what Lukas said - who knows, we might be able to work with the Cryptocloud team to open source their app. If done the same way as the ownCloud app (GPL) it won’t hurt their business model…

  5. John says:

    Implications: Do not accidentally choose the folder name of the existing theme when using the GUI :stuck_out_tongue_winking_eye:

    Other than that: you should be fine

  6. ios says:

    We are working to make Nextcloud a platform that can meet the needs of all, I am sure that we will succeed in the future to find a good deal also with the community open source. :grinning:

  7. We don’t publicly disclose any security information to third parties until 14 days after the release, following industry best practices. On July 19th advisories will be published, we do recommend to have updated instances until then.

    As you can see by the HackerOne bounties the found vulnerabilities range all from low to medium. You can also see on that page what we consider as low and medium.

    We contact our CNA shortly before the advisory release date. Until then, no CVE identifiers are assigned.

    The quote from should answer that question:

    “With regard to these vulnerabilities, we have made ownCloud a proposal on how we believe this information exchange should work, but they have not agreed on a proposal yet,” Karlitschek said. “We hope that we can agree on a process so that ownCloud users also benefit from the security fixes we do.”

    So yes, ownCloud is affected by these bugs as well, as a courtesy we informed them about the vulnerabilities but they didn’t release any patched version or whatsoever yet.

    Note that migrating to Nextcloud is often a simple “replace all program files”, so that is always an option and I’d personally go that route if you care about security.

  8. They are included in the stabdard installation. Just go to your app screen and enable them :slight_smile:

  9. @LukasReschke we should do a blog or something about the updater stuff. Not only about where we want to take it but what we’re doing right now, ppl ask me if the new release is in the updater yet or not all the time :wink:

  10. ios says:

    there is no reason to worry about this, enjoy the present because the future will be even better :blush:

  11. So for the time being, all I can do is create a how-to for installing the app and server…

    That still sounds good, Jos! Looking forward to reading it! :wink:

  12. Yesssss, please!! I would love to do beta/alpha tests, because I’m eagerly looking forward to
    kickass skype :slight_smile:

  13. Soko says:

    Hello @jospoortvliet,

    based on your tutorial her’s a howto for installing under Ubuntu 16.04 an armhf-device (odroid xu4):

    App configuration
    sudo apt-add-repository ppa:strukturag/spreed-webrtc-unstable
    sudo apt-get update && sudo apt-get install spreed-webrtc
    we’ll now install the Spreed.ME app.
    This can be done either from the app store (if it is available there for your version of Nextcloud)
    or, as we’ll show here, directly from github.

    cd /var/www/owncloud/apps
    Go to the nextcloud app folder on your server.
    Download the zip file with the app
    Extract the app
    mv nextcloud-spreedme-master spreedme
    Rename the folder to spreedme
    The app is now installed.

    Now configurate Apache2
    Make sure you have the module mod_proxy_wstunnel enabled. In addition proxy,proxy_http and headers modules have to be enabled.

    a2enmod proxy proxy_http proxy_wstunnel headers

    cd /etc/apache2/sites-available/
    nano 001-default-ssl.conf
    Locate the closing tags for your virtual host:
    And insert this above it:

    Spreed.ME config (must be in same vhost)

    ProxyPassReverse /webrtc 
    ProxyPass ws:// 
    ProxyVia On 
    ProxyPreserveHost On 
    RequestHeader set X-Forwarded-Proto 'https' env=HTTPS

    sudo a2dissite 001-default-ssl.conf
    sudo service apache2 restart
    sudo a2ensite 001-default-ssl.conf
    sudo a2ensite 001-default-ssl.conf
    sudo service apache2 restart

    cd /etc/spreed
    Go to the folder where you installed the Spreed.ME server software
    cp webrtc.conf
    make a backup

    nano webrtc.conf

    In the [http] section:Enable basePath by removing the ; character in front of the line and set it to the basePath we
    install Spreed.ME in: /webrtc/. It now should look like:
    basePath = /webrtc/
    In the [app] section:add serverToken = randomEnable authorizeRoomJoin and set it to true:
    authorizeRoomJoin = trueEnable extra and set it to the full absolute path of the
    spreedme/extra directory in your apps folder of your Nextcloud
    extra = /var/www/owncloud/apps/spreedme/extraEnable plugin and set it to extra/static/owncloud.js:
    plugin = extra/static/owncloud.js

    The latest version of Spreed.ME does this automatically so you don’t need to set thisIn the [users] section:Enable enabled and set it to true:
    enabled = trueEnable mode and set it to sharedsecret:
    mode = sharedsecretEnable sharedsecret_secret and set it to a random
    64-character HEX string. Do NOT use the string given below. You can
    generate your own 64-character HEX string by running xxd -ps -l 32 -c 32
    /dev/random or openssl rand -hex 32 in a console. It should look like:
    sharedsecret_secret = bb04fb058e2d7fd19c5bdaa129e7883195f73a9c49414a7eXXXXXXXXXXXXXXXX

    Now save and close the file. You will need to copy the shared secret in another file, so keep it in your clipboard, another terminal or a temporary text file.

    Now, start the server
    service spreed-webrtc restart

    less /var/log/spreed/webrtc/server.log
    control log

    App configuration
    Now, we have to configure the Spreed.ME app so it can talk to the Spreed.ME server.

    cd /var/www/owncloud/apps/spreedme/config
    Go to the nextcloud spreedme app configuration folder

    cp config.php
    Create the config file from the default file
    nano config.php
    Edit the config file and make these modifications:Set SPREED_WEBRTC_BASEPATH
    to /webrtc/: const SPREED_WEBRTC_BASEPATH = ‘/webrtc/’;
    Set SPREED_WEBRTC_SHAREDSECRET to the shared secret you generated for the
    Spreed.ME server configuration above: const SPREED_WEBRTC_SHAREDSECRET =
    can choose to modify OWNCLOUD_TEMPORARY_PASSWORD_LOGIN_ENABLED to true to allow your users to invite other, unregistered users for a call. With this on false users need to have a Nextcloud account to join a call. If
    you enable it, generate a new random string and put it below, see the included instructions.

    Now save and close the file.

    cd /var/www/owncloud/apps/spreedme/extra/static/config
    Go to the nextcloud spreedme app extra/static/config folder
    cp OwnCloudConfig.js
    Create the javascript config file

    If you put Spreed.ME in /webrtc/ (as this manual assumes), you don’t need to make any other changes. If you put it in its own domain you have to edit the file and make sure you set OWNCLOUD_ORIGIN to your Nextcloud server.Now the app is configured, go to the Nextcloud App store, locate the app in the ‘not enabled’ section and click on Enable!

    Ps: IMHO also with the tutorial, it’s far away from an easy installation…

Continue the discussion The Nextcloud forums

34 more replies