Intune Deployments

Intune is Microsoft’s EMM solution that provides both MDM and MAM. As one of Microsoft’s Azure cloud-based services, it supports app management via policies, reporting and alerts, and other essential enterprise tasks. Acrobat’s support for Intune means you can proactively manage files and features on both iOS and Android. Files can either be managed or unmanaged, and you can also control how these files move from one state to another in a way that complies with your organization’s security policies.

In MDM scenarios, the organization can control the device as well as installed applications and file storage locations. Managing the flow of data in PDF workflows often involves specifying whether operations from an unmanaged source can be moved to a managed source and vice versa. For example, a user might access their email account via the device browser, and whether or not an attached PDF will open in Acrobat Reader may depend on the admin allowing Acrobat to open unmanaged files in a managed environment.

In MAM scenarios, the organization controls some installed applications and file locations, but users may have personal apps and files on the same device. Managing data across PDF workflows is more challenging since a user may have personal applications and file storage solutions as well as enterprise apps and files on the same device. For example, while an organization would be aware of Dropbox and Document Cloud accounts accessed via an enterprise ID, a user may also have personal cloud storage accounts associated with private, personal IDs. In this context, the enterprise cloud storage account resides in the “managed” category while the personal account resides in the “unmanaged” category. Admins can still control files (PDF data) across work and personal files in the same way as MDM: simply allow or prevent opening unmanaged files in a managed environment. On iOS, admins also have another option: Adobe preferences allow end user Document Cloud and Dropbox accounts to be individually treated as managed or unmanaged.

Note that the behaviors described below vary across environments since organizations will certainly manage applications, features, and files in unique ways. Because these aspects of your configuration interact with each other, configure policies to comply with your specific needs.

Acrobat iOS

You can configure and manage Acrobat on iOS using both Intune’s default properties as well as custom properties provided by Adobe. End users can enroll and unenroll directly from their devices.

_images/intuneconfig.png

iOS system requirements

  • The latest version of Acrobat Reader (preferred)

  • A device OS supported by the product version.

  • An EMM provider that supports AppConfig (e.g. Intune)

Enrolling users

You may make Adobe apps available to users via your preferred methodology, but with in-app Intune enrollment available, end users typically just download the app from the App Store.

Instruct your users to do the following:

  1. Install and open the app.

  2. Tap the profile icon > Preferences.

  3. Go to Microsoft Intune > Enroll, and toggle the feature on.

  4. When the Microsoft sign-in screen appears, complete the enrollment process.

_images/intunesetting.png

Appconfig file and iOS

iOS deployment involves downloading and importing an XML file into your vendor console.

Available options are detailed in the attached XML file below. The most recent Acrobat version always supports the latest AppConfig.xml file version. XML file versioning is in the format of YearMonth.

<version>2105</version>
<bundleId>com.adobe.Adobe-Reader</bundleId>
AppConfig file versions (use Save As to download)

Version

Platform

2105

Acrobat 21.05.00 and after

2003

Acrobat 20.11.00 and after

Admin deployment

The settings described here behave differently when applied in MDM or MAM configuration policies. In both cases, files can either be personal (unmanaged) or work (managed) depending on their origin.

To configure a policy:

  1. Download Acrobat Reader (the latest version is always recommended).

  2. Download the latest XML definition file (above).

  3. Create a device or application configuration policy.

  4. Open the XML file, and copy each of the needed values shown below into your vendor’s policy console (see the table below). DO NOT try to consume the XML file.

  5. Set the values to True or False.

  6. Complete the policy configuration workflow.

_images/intuneconfigpolicy.png

Your vendor console may provide a number of configuration options. The following table lists only those features provided by Acrobat Reader.

Interactions between 3rd party deployment consoles and device settings as well as managed and personal files can be complex. Configurations will vary across environments, and there is some nuance to what these setting mean. For example:

  • Products like Document Cloud and Dropbox offer multiple services. While the settings below cannot disable those services, they can block file system access which is usually required to complete a workflow for a particular service. For example, ExportPDF requires access to the Document Cloud file system (for saving), so blocking access to that system essentially disables ExportPDF.

  • “Managed” and “Unmanaged” are not synonymous with “blocked/unblocked” or “secure/unsecure”. The net effect of your settings may depend on other policy settings, including what you’ve enabled/allowed for other apps.

iOS configuration values

Field

Description

Notes

allowOpenFromManagedToUnmanaged

Default=*true*. Allow managed to unmanaged operations.

When allowOpenFromUnmanagedToManaged is also true, unmanaged file systems are available. Users can save managed files to unmanaged locations such as Document Cloud and Dropbox. Previously blocked features such as copy and paste, print, share, print, and Spotlight indexing are also permitted.

allowOpenFromUnmanagedToManaged

Default=*true*. (Note: The default is false when Microsoft Intune’s Allow user to save copies to selected services is enabled. Allow unmanaged to managed operations.

When allowOpenFromUnmanagedToManaged is also true, unmanaged file systems are available, and users can save unmanaged files to managed locations. For example, a user could open an unmanaged Document Cloud or Dropbox file then save it to a managed file location. This policy controls the availability of managed Acrobat to open and copy unmanaged files to managed locations, copy unmanaged clipboard contents and paste into managed files, share managed files, use the document picker

allowDocumentCloudToBeTreatedAsManaged

Default=*true*. Allow Document Cloud as a managed file system.

When allowOpenFromUnmanagedToManaged is also true, unmanaged file systems are available. Not all clients on Document Cloud are managed, and by using it, you expose yourself to leakage through other applications. If Document Cloud should be unmanaged and unavailable in managed Acrobat, set this preference as well as allowOpenFromManagedToUnmanaged and allowOpenFromUnmanagedToManaged to false. Doing so blocks all DC services such as Export, Create, Compress, Combine, or other operations that place the output file on Document Cloud.

allowDropboxToBeTreatedAsManaged

Default=*true*. Allow Dropbox as a managed file system.

If this should be unmanaged and unavailable in managed Acrobat, set this preference as well as allowOpenFromManagedToUnmanaged and allowOpenFromUnmanagedToManaged to false.

allowDropboxTeamsToBeTreatedAsManaged

Default=*true*. Allow Dropbox Teams as a managed file system.

If this should be unmanaged and unavailable in managed Acrobat, set this preference as well as allowOpenFromManagedToUnmanaged and allowOpenFromUnmanagedToManaged to false.

allowGoogleDriveToBeTreatedAsManaged

Default=*true*. Allow Google Drive as a managed file system.

If this should be unmanaged and unavailable in managed Acrobat, set this preference as well as allowOpenFromManagedToUnmanaged and allowOpenFromUnmanagedToManaged to false.

allowOneDrivePersonalToBeTreatedAsManaged

Default=*true*. Allow OneDrive Personal as a managed file system.

If this should be unmanaged and unavailable in managed Acrobat, set this preference as well as allowOpenFromManagedToUnmanaged and allowOpenFromUnmanagedToManaged to false.

allowOneDriveBusinessToBeTreatedAsManaged

Default=*true*. Allow OneDrive Business as a managed file system.

If this should be unmanaged and unavailable in managed Acrobat, set this preference as well as allowOpenFromManagedToUnmanaged and allowOpenFromUnmanagedToManaged to false.

allowSocialSignIn

Default=*true*. Enable social sign in.

Allow the user to sign-in using social sign-in accounts such as Google or Facebook.

allowSecureWebViewSignIn

Default=*false*. Require a secure Safari webview for login.

Used when scenarios require some device identifier to authorize the requests.

allowedManagedDomains

Default=*null*. New: May, 2021. A comma-separated list of custom domains which should be allowed as to be treated managed. Domains not in the custom list are unmanaged.

If the cloud service is allowed to be managed, then allowedManagedDomains is a secondary filter requires the signed-in user to be of that domain; otherwise, the domain will be treated as unmanaged. The following are valid lists:

  • adobe.com

  • adobe.com,apple.com

This new key is especially useful for email accounts in enterprise domains such as Gmail, Apple mail, and others. For example, if Google Drive is set as managed and allowManagedDomains includes a Google Domain (@xyzzy.com), then only accounts ending in @xyzzy.com are treated as managed. If users sign in to xyzzy@apple.com, that domain is unmanaged.

_images/intunemanage1.png

Permissive file access example

_images/intunemanage2.png

Unenrolling devices

To exit the managed state:

  1. Open Acrobat.

  2. Tap the profile icon > Preferences.

  3. Go to Microsoft Intune > Enroll, and toggle the feature off.

Acrobat Android

You can configure and manage Acrobat on Android using Intune’s default properties. End users can enroll and unenroll directly from their device by signing in and out of any managed app or the Intune Company Portal.

Note

Enterprise restrictions do not apply to personal documents when Acrobat is in managed mode (the Intune Company Portal is installed the user is signed in). When managed, only enterprise files are subject to the admin’s specified restrictions.

_images/intuneconfig_android.png

System requirements

  • Android 5.0+

  • Acrobat Reader (latest version preferred, 19.6.0 version is required)

  • Intune Company Portal app on the device.

Admin deployment

To configure a policy via Intune:

  1. Create a device or application configuration policy.

  2. Configure any available settings which appear in the Intune UI. Unlike iOS, there are no manual configurations, so the Intune Console displays all available options.

  3. Choose OK.

_images/intuneandroid.png

Enrolling users

End users must do the following on their devices:

  1. Install the Intune Company Portal.

_images/androidintuneportal.png
  1. Open the Intune Company Portal.

  2. Sign in to the Intune Company Portal app or any other Microsoft app that’s managed. Users cannot sign in via Acrobat Reader as Microsoft sign-in is not supported from the app.

  3. If there is a company sign-in screen, complete the workflow.

After the sign-in process completes, the app automatically registers the device with the organization and enforces the Intune policies.

Tip

Users can verify enrollment by tapping the profile icon > Preferences. An “Enrolled” status appears under the “MICROSOFT INTUNE” heading.

_images/androidintunesignin.png

Enforcing policies without enrollment

In a MAM context users can switch in and out of the Intune-managed environment even when the device is not enrolled. When not signed in to their work account, they can use the app in an unmanaged way without Intune policy enforcement. Once signed in, the app is subject to the configured policies. This scenario allows end users to work on their device as usual when not accessing the enterprise data while at the same time allowing IT to protect enterprise data as needed.

  1. Install the Intune Company Portal app.

Note

Do NOT sign in as that places the device in a managed state.

  1. Install Acrobat Reader.

  2. Sign in to the Intune Company Portal app or any other Microsoft app that’s managed. Users cannot sign in via Acrobat Reader as Microsoft sign-in is not supported from the app. After sign-in, the app logs in to the Microsoft account and enforces the Intune policies.

Unenrolling devices

To exit the managed state:

  1. Open the Intune Company Portal app.

  2. Sign out.

  3. Restart Acrobat (required). Acrobat automatically unregisters from Intune.

Intune FAQs

How do I allow Acrobat to open enterprise documents?

Your admin should provide instructions, but in general:

  • Android: Install the Intune Company Portal and sign in to the Portal or any other managed app. Signing in to Acrobat is not part of the enrollment process.

  • iOS: Go to Settings > Preferences. Under the Microsoft Intune section, enable Enroll. When the Microsoft login dialog appears, log in.

Does signing in to Acrobat allow access to enterprise (managed) files?

No. See above.

Can I sign in to Acrobat with my personal ID and enterprise ID?

Yes, you can sign in with either ID type, but with only one at a time. However, what ID you use is unrelated to how Intune manages files. Your admin manages apps and file locations via Intune. How you sign in to Acrobat has nothing to do with whether a file is managed.

Note that previous releases provided Intune and non-Intune versions of Acrobat. There are no longer separate installers and Acrobat sign in.

How does signing in to Acrobat with a personal ID or enterprise ID affect my files?

It doesn’t. Whether a file is managed or unmanaged depends on what apps and file locations your company can manage through Intune.

What apps and locations can be managed?

Your IT organization decides what’s managed, but not all apps are subject to Intune management. One Drive and Sharepoint cloud storage can be managed. Local files may be managed depending on the app and account they are opened from. Document Cloud (Adobe’s Document Cloud storage service) is currently not subject to Intune management.

Why are my personal files subject to Intune restrictions?

Your IT organization specifies what apps and file locations are managed. Files originating from managed locations are subject to Intune’s restrictions.

Can Acrobat open unmanaged and managed files?

Yes. Acrobat automatically knows what apps and locations the admin controls (has specified as managed). Files that originate from managed locations are managed and are subject to enterprise restrictions. Personal files from unmanaged locations/apps have no restrictions.

How can I exit (disable) enterprise/managed mode?

  • Android: Uninstall the Intune Company Portal, or sign out of the portal.

  • iOS: Go to Settings > Preferences. Under the Microsoft Intune section, disable Enroll.

Note

Performing this action deletes all enterprise files from all managed apps.

What is multi-identity?

Acrobat supports multi-identity which simply means that it knows whether a file should be managed file or not; in other words, it distinguishes between enterprise and personal files based on Intune settings.

When was multi-identity implemented?

January 2020 on Android. February 2020 on iOS.

How does the mobile app manage sign-in tokens?

Sign-in tokens are managed by Microsoft Intune.

What is the refresh time before sign-in is again required?

That is a setting in the Microsoft Intune console.

Does Acrobat encrypt content on the mobile phone? Where is it stored?

Yes. iOS provides standard app container encryption.

Are there separate Acrobat Intune installers for Intune?

No.

When the device or app is in a managed state, is Scan integration enabled?

Yes. Integration with the Scan App remains functional.