Intune Deployments¶
Intune is Microsoft’s EMM solution that provides both MDM and MAM. As one of Microsoft’s Azure cloud-based services, it supports app management via policies, reporting and alerts, and other essential enterprise tasks. Acrobat’s support for Intune means you can proactively manage files and features on both iOS and Android. Files can either be managed or unmanaged, and you can also control how these files move from one state to another in a way that complies with your organization’s security policies.
In MDM scenarios, the organization can control the device as well as installed applications and file storage locations. Managing the flow of data in PDF workflows often involves specifying whether operations from an unmanaged source can be moved to a managed source and vice versa. For example, a user might access their email account via the device browser, and whether or not an attached PDF will open in Acrobat Reader may depend on the admin allowing Acrobat to open unmanaged files in a managed environment.
In MAM scenarios, the organization controls some installed applications and file locations, but users may have personal apps and files on the same device. Managing data across PDF workflows is more challenging since a user may have personal applications and file storage solutions as well as enterprise apps and files on the same device. For example, while an organization would be aware of Dropbox and Document Cloud accounts accessed via an enterprise ID, a user may also have personal cloud storage accounts associated with private, personal IDs. In this context, the enterprise cloud storage account resides in the “managed” category while the personal account resides in the “unmanaged” category. Admins can still control files (PDF data) across work and personal files in the same way as MDM: simply allow or prevent opening unmanaged files in a managed environment. On iOS, admins also have another option: Adobe preferences allow end user Document Cloud and Dropbox accounts to be individually treated as managed or unmanaged.
Note that the behaviors described below vary across environments since organizations will certainly manage applications, features, and files in unique ways. Because these aspects of your configuration interact with each other, configure policies to comply with your specific needs.
Acrobat iOS¶
You can configure and manage Acrobat on iOS using both Intune’s default properties as well as custom properties provided by Adobe. End users can enroll and unenroll directly from their devices.
iOS system requirements¶
The latest version of Acrobat Reader (preferred)
A device OS supported by the product version.
An EMM provider that supports AppConfig (e.g. Intune)
Enrolling users¶
You may make Adobe apps available to users via your preferred methodology, but with in-app Intune enrollment available, end users typically just download the app from the App Store.
Instruct your users to do the following:
Install and open the app.
Tap the profile icon > Preferences.
Go to Microsoft Intune > Enroll, and toggle the feature on.
When the Microsoft sign-in screen appears, complete the enrollment process.
Appconfig file and iOS¶
iOS deployment involves downloading and importing an XML file into your vendor console.
Available options are detailed in the attached XML file below. The most recent Acrobat version always supports the latest AppConfig.xml file version. XML file versioning is in the format of YearMonth
.
<version>2105</version>
<bundleId>com.adobe.Adobe-Reader</bundleId>
Version |
Platform |
---|---|
Acrobat 21.05.00 and after |
|
Acrobat 20.11.00 and after |
Admin deployment¶
The settings described here behave differently when applied in MDM or MAM configuration policies. In both cases, files can either be personal (unmanaged) or work (managed) depending on their origin.
To configure a policy:
Download Acrobat Reader (the latest version is always recommended).
Download the latest XML definition file (above).
Create a device or application configuration policy.
Open the XML file, and copy each of the needed values shown below into your vendor’s policy console (see the table below). DO NOT try to consume the XML file.
Set the values to
True
orFalse
.Complete the policy configuration workflow.
Your vendor console may provide a number of configuration options. The following table lists only those features provided by Acrobat Reader.
Interactions between 3rd party deployment consoles and device settings as well as managed and personal files can be complex. Configurations will vary across environments, and there is some nuance to what these setting mean. For example:
Products like Document Cloud and Dropbox offer multiple services. While the settings below cannot disable those services, they can block file system access which is usually required to complete a workflow for a particular service. For example, ExportPDF requires access to the Document Cloud file system (for saving), so blocking access to that system essentially disables ExportPDF.
“Managed” and “Unmanaged” are not synonymous with “blocked/unblocked” or “secure/unsecure”. The net effect of your settings may depend on other policy settings, including what you’ve enabled/allowed for other apps.
Field |
Description |
Notes |
---|---|---|
allowOpenFromManagedToUnmanaged |
Default=*true*. Allow managed to unmanaged operations. |
When |
allowOpenFromUnmanagedToManaged |
Default=*true*. (Note: The default is false when Microsoft Intune’s Allow user to save copies to selected services is enabled. Allow unmanaged to managed operations. |
When |
allowDocumentCloudToBeTreatedAsManaged |
Default=*true*. Allow Document Cloud as a managed file system. |
When |
allowDropboxToBeTreatedAsManaged |
Default=*true*. Allow Dropbox as a managed file system. |
If this should be unmanaged and unavailable in managed Acrobat, set this preference as well as |
allowDropboxTeamsToBeTreatedAsManaged |
Default=*true*. Allow Dropbox Teams as a managed file system. |
If this should be unmanaged and unavailable in managed Acrobat, set this preference as well as |
allowGoogleDriveToBeTreatedAsManaged |
Default=*true*. Allow Google Drive as a managed file system. |
If this should be unmanaged and unavailable in managed Acrobat, set this preference as well as |
allowOneDrivePersonalToBeTreatedAsManaged |
Default=*true*. Allow OneDrive Personal as a managed file system. |
If this should be unmanaged and unavailable in managed Acrobat, set this preference as well as |
allowOneDriveBusinessToBeTreatedAsManaged |
Default=*true*. Allow OneDrive Business as a managed file system. |
If this should be unmanaged and unavailable in managed Acrobat, set this preference as well as |
allowSocialSignIn |
Default=*true*. Enable social sign in. |
Allow the user to sign-in using social sign-in accounts such as Google or Facebook. |
allowSecureWebViewSignIn |
Default=*false*. Require a secure Safari webview for login. |
Used when scenarios require some device identifier to authorize the requests. |
allowedManagedDomains |
Default=*null*. New: May, 2021. A comma-separated list of custom domains which should be allowed as to be treated managed. Domains not in the custom list are unmanaged. |
If the cloud service is allowed to be managed, then allowedManagedDomains is a secondary filter requires the signed-in user to be of that domain; otherwise, the domain will be treated as unmanaged. The following are valid lists:
This new key is especially useful for email accounts in enterprise domains such as Gmail, Apple mail, and others. For example, if Google Drive is set as managed and |
Permissive file access example
Unenrolling devices¶
To exit the managed state:
Open Acrobat.
Tap the profile icon > Preferences.
Go to Microsoft Intune > Enroll, and toggle the feature off.
Acrobat Android¶
You can configure and manage Acrobat on Android using Intune’s default properties. End users can enroll and unenroll directly from their device by signing in and out of any managed app or the Intune Company Portal.
Note
Enterprise restrictions do not apply to personal documents when Acrobat is in managed mode (the Intune Company Portal is installed the user is signed in). When managed, only enterprise files are subject to the admin’s specified restrictions.
System requirements¶
Android 5.0+
Acrobat Reader (latest version preferred, 19.6.0 version is required)
Intune Company Portal app on the device.
Admin deployment¶
To configure a policy via Intune:
Create a device or application configuration policy.
Configure any available settings which appear in the Intune UI. Unlike iOS, there are no manual configurations, so the Intune Console displays all available options.
Choose OK.
Enrolling users¶
End users must do the following on their devices:
Install the Intune Company Portal.
Open the Intune Company Portal.
Sign in to the Intune Company Portal app or any other Microsoft app that’s managed. Users cannot sign in via Acrobat Reader as Microsoft sign-in is not supported from the app.
If there is a company sign-in screen, complete the workflow.
After the sign-in process completes, the app automatically registers the device with the organization and enforces the Intune policies.
Tip
Users can verify enrollment by tapping the profile icon > Preferences. An “Enrolled” status appears under the “MICROSOFT INTUNE” heading.
Enforcing policies without enrollment¶
In a MAM context users can switch in and out of the Intune-managed environment even when the device is not enrolled. When not signed in to their work account, they can use the app in an unmanaged way without Intune policy enforcement. Once signed in, the app is subject to the configured policies. This scenario allows end users to work on their device as usual when not accessing the enterprise data while at the same time allowing IT to protect enterprise data as needed.
Install the Intune Company Portal app.
Note
Do NOT sign in as that places the device in a managed state.
Install Acrobat Reader.
Sign in to the Intune Company Portal app or any other Microsoft app that’s managed. Users cannot sign in via Acrobat Reader as Microsoft sign-in is not supported from the app. After sign-in, the app logs in to the Microsoft account and enforces the Intune policies.
Unenrolling devices¶
To exit the managed state:
Open the Intune Company Portal app.
Sign out.
Restart Acrobat (required). Acrobat automatically unregisters from Intune.
Intune FAQs¶
How do I allow Acrobat to open enterprise documents?
Your admin should provide instructions, but in general:
Android: Install the Intune Company Portal and sign in to the Portal or any other managed app. Signing in to Acrobat is not part of the enrollment process.
iOS: Go to Settings > Preferences. Under the Microsoft Intune section, enable Enroll. When the Microsoft login dialog appears, log in.
Does signing in to Acrobat allow access to enterprise (managed) files?
No. See above.
Can I sign in to Acrobat with my personal ID and enterprise ID?
Yes, you can sign in with either ID type, but with only one at a time. However, what ID you use is unrelated to how Intune manages files. Your admin manages apps and file locations via Intune. How you sign in to Acrobat has nothing to do with whether a file is managed.
Note that previous releases provided Intune and non-Intune versions of Acrobat. There are no longer separate installers and Acrobat sign in.
How does signing in to Acrobat with a personal ID or enterprise ID affect my files?
It doesn’t. Whether a file is managed or unmanaged depends on what apps and file locations your company can manage through Intune.
What apps and locations can be managed?
Your IT organization decides what’s managed, but not all apps are subject to Intune management. One Drive and Sharepoint cloud storage can be managed. Local files may be managed depending on the app and account they are opened from. Document Cloud (Adobe’s Document Cloud storage service) is currently not subject to Intune management.
Why are my personal files subject to Intune restrictions?
Your IT organization specifies what apps and file locations are managed. Files originating from managed locations are subject to Intune’s restrictions.
Can Acrobat open unmanaged and managed files?
Yes. Acrobat automatically knows what apps and locations the admin controls (has specified as managed). Files that originate from managed locations are managed and are subject to enterprise restrictions. Personal files from unmanaged locations/apps have no restrictions.
How can I exit (disable) enterprise/managed mode?
Android: Uninstall the Intune Company Portal, or sign out of the portal.
iOS: Go to Settings > Preferences. Under the Microsoft Intune section, disable Enroll.
Note
Performing this action deletes all enterprise files from all managed apps.
What is multi-identity?
Acrobat supports multi-identity which simply means that it knows whether a file should be managed file or not; in other words, it distinguishes between enterprise and personal files based on Intune settings.
When was multi-identity implemented?
January 2020 on Android. February 2020 on iOS.
How does the mobile app manage sign-in tokens?
Sign-in tokens are managed by Microsoft Intune.
What is the refresh time before sign-in is again required?
That is a setting in the Microsoft Intune console.
Does Acrobat encrypt content on the mobile phone? Where is it stored?
Yes. iOS provides standard app container encryption.
Are there separate Acrobat Intune installers for Intune?
No.
When the device or app is in a managed state, is Scan integration enabled?
Yes. Integration with the Scan App remains functional.