Mobile Acrobat and AppConfig

Mobile Acrobat supports AppConfig and you should be able to deploy the product via any 3rd party vendor which is also AppConfig-compliant.

A number of vendors support AppConfig–a standards-based framework that streamlines app configuration and deployment via participating EMM vendors. Adobe provides an AppConfig-compliant configuration file that allows IT to manage Acrobat with any EMM product that supports AppConfig, including those like MobileIron with which Acrobat Reader has been tested and certified. Acrobat Reader on iOS provides an AppConfig-compliant XML file that can be consumed by some 3rd party EMM solutions. Follow the configuration and deployment instructions provided by your EMM vendor.

Note

The AppConfig Community is a collection of industry-leading EMM solution providers and app developers that have come together to help developers and customers drive mobility in business. Acrobat is part of the community. For information about Adobe’s adoption of enterprise mobile standards, refer to this blog.

AppConfig and Android

Android vendor consoles are automatically populated with supported configurations once an app is uploaded.

Appconfig file and iOS

iOS deployment involves downloading and importing an XML file into your vendor console.

Available options are detailed in the attached XML file below. The most recent Acrobat version always supports the latest AppConfig.xml file version. XML file versioning is in the format of YearMonth.

<version>2105</version>
<bundleId>com.adobe.Adobe-Reader</bundleId>
AppConfig file versions

Version

Platform

2105

Acrobat 21.05.00 and after

2003

Acrobat 20.11.00 and after

Admin deployment

The settings described here behave differently when applied in MDM or MAM configuration policies. In both cases, files can either be personal (unmanaged) or work (managed) depending on their origin.

To configure a policy:

  1. Download Acrobat Reader (the latest version is always recommended).

  2. Download the latest XML definition file (above).

  3. Create a device or application configuration policy.

  4. Open the XML file, and copy each of the needed values shown below into your vendor’s policy console (see the table below). DO NOT try to consume the XML file.

  5. Set the values to True or False.

  6. Complete the policy configuration workflow.

_images/intuneconfigpolicy.png

Your vendor console may provide a number of configuration options. The following table lists only those features provided by DC Acrobat Reader.

Interactions between 3rd party deployment consoles and device settings as well as managed and personal files can be complex. Configurations will vary across environments, and there is some nuance to what these setting mean. For example:

  • Products like Document Cloud and Dropbox offer multiple services. While the settings below cannot disable those services, they can block file system access which is usually required to complete a workflow for a particular service. For example, ExportPDF requires access to the Document Cloud file system (for saving), so blocking access to that system essentially disables ExportPDF.

  • “Managed” and “Unmanaged” are not synonymous with “blocked/unblocked” or “secure/unsecure”. The net effect of your settings may depend on other policy settings, including what you’ve enabled/allowed for other apps.

iOS configuration values

Field

Description

Notes

allowOpenFromManagedToUnmanaged

Default=*true*. Allow managed to unmanaged operations.

When allowOpenFromUnmanagedToManaged is also true, unmanaged file systems are available. Users can save managed files to unmanaged locations such as Document Cloud and Dropbox. Previously blocked features such as copy and paste, print, share, print, and Spotlight indexing are also permitted.

allowOpenFromUnmanagedToManaged

Default=*true*. (Note: The default is false when Microsoft Intune’s Allow user to save copies to selected services is enabled. Allow unmanaged to managed operations.

When allowOpenFromUnmanagedToManaged is also true, unmanaged file systems are available, and users can save unmanaged files to managed locations. For example, a user could open an unmanaged Document Cloud or Dropbox file then save it to a managed file location. This policy controls the availability of managed Acrobat to open and copy unmanaged files to managed locations, copy unmanaged clipboard contents and paste into managed files, share managed files, use the document picker

allowDocumentCloudToBeTreatedAsManaged

Default=*true*. Allow Document Cloud as a managed file system.

When allowOpenFromUnmanagedToManaged is also true, unmanaged file systems are available. Not all clients on Document Cloud are managed, and by using it, you expose yourself to leakage through other applications. If Document Cloud should be unmanaged and unavailable in managed Acrobat, set this preference as well as allowOpenFromManagedToUnmanaged and allowOpenFromUnmanagedToManaged to false. Doing so blocks all DC services such as Export, Create, Compress, Combine, or other operations that place the output file on Document Cloud.

allowDropboxToBeTreatedAsManaged

Default=*true*. Allow Dropbox as a managed file system.

If this should be unmanaged and unavailable in managed Acrobat, set this preference as well as allowOpenFromManagedToUnmanaged and allowOpenFromUnmanagedToManaged to false.

allowDropboxTeamsToBeTreatedAsManaged

Default=*true*. Allow Dropbox Teams as a managed file system.

If this should be unmanaged and unavailable in managed Acrobat, set this preference as well as allowOpenFromManagedToUnmanaged and allowOpenFromUnmanagedToManaged to false.

allowGoogleDriveToBeTreatedAsManaged

Default=*true*. Allow Google Drive as a managed file system.

If this should be unmanaged and unavailable in managed Acrobat, set this preference as well as allowOpenFromManagedToUnmanaged and allowOpenFromUnmanagedToManaged to false.

allowOneDrivePersonalToBeTreatedAsManaged

Default=*true*. Allow OneDrive Personal as a managed file system.

If this should be unmanaged and unavailable in managed Acrobat, set this preference as well as allowOpenFromManagedToUnmanaged and allowOpenFromUnmanagedToManaged to false.

allowOneDriveBusinessToBeTreatedAsManaged

Default=*true*. Allow OneDrive Business as a managed file system.

If this should be unmanaged and unavailable in managed Acrobat, set this preference as well as allowOpenFromManagedToUnmanaged and allowOpenFromUnmanagedToManaged to false.

allowSocialSignIn

Default=*true*. Enable social sign in.

This key is MDM only and ignored under Intune MAM. Allow the user to sign-in using social sign-in accounts such as Google or Facebook.

allowSecureWebViewSignIn

Default=*false*. Require a secure Safari webview for login.

Deprecated: sign-ins now happen in a secure Safari webview. Used when scenarios require some device identifier to authorize the requests.

allowedManagedDomains

Default=*null*. New: May, 2021. A comma-separated list of custom domains which should be allowed as to be treated managed. Domains not in the custom list are unmanaged.

If the cloud service is allowed to be managed, then allowedManagedDomains is a secondary filter requires the signed-in user to be of that domain; otherwise, the domain will be treated as unmanaged. The following are valid lists:

  • adobe.com

  • adobe.com,apple.com

This new key is especially for useful for email accounts in enterprise domains such as Gmail, Apple mail, and others. For example, if Google Drive is set as managed and allowManagedDomains includes a Google Domain (@xyzzy.com), then only accounts ending in @xyzzy.com are treated as managed. If users sign in to xyzzy@apple.com, that domain is unmanaged.