Mobile Acrobat and Intune

Intune is Microsoft’s EMM solution that provides both MDM and MAM. As one of Microsoft’s Azure cloud based services, supports app management via policies, reporting and alerts, and other essential enterprise tasks. Acrobat’s support for Intune means you can pro-actively manage files and features on both iOS and Android. Files can either be managed or unmanaged, and you can also control how these files move from one state to another in a way that complies with your organization’s security policies.

In MDM scenarios, the organization can control the device as well as installed applications and file storage locations. Managing the flow of data in PDF workflows often involves specifying whether operations from an unmanaged source can be moved to a managed source and vice versa. For example, a user might access their personal email account via the device browser, and whether or not an attached PDF will open in Acrobat Reader may depend on the admin allowing Acrobat to open unmanaged files in a managed environment.

In MAM scenarios, the organization controls some installed applications and file locations, but users may have personal apps and files on the same device. Managing data across PDF workflows is more challenging since a user may have personal applications and file storage solutions as well as enterprise apps and files on the same device. For example, while an organization would be aware of Dropbox and Document Cloud accounts accessed via an enterprise ID, a user may also have personal cloud storage accounts associated with private, personal IDs. In this context, the enterprise cloud storage account resides in the “managed” category while the personal account resides in the “unmanaged” category. Admins can still control files (PDF data) across work and personal in the same way as MDM: simply allow or prevent opening unmanaged files in a managed environment. On iOS, admins also have another option: Adobe preferences allow end user Document Cloud and Dropbox accounts to be individually treated as managed or unmanaged.

Note that the behaviors described below vary across environments since organizations will certainly manage applications, features, and files in unique ways. Because these aspects of your configuration interact with each other, configure policies to comply with your specific needs.

Acrobat iOS

You can configure and manage Acrobat on iOS using both Intune’s default properties as well as custom properties provided by Adobe. End users can enroll and unenroll directly from their device.

_images/intuneconfig.png

Aug, 2020 release change

In order to support OneDrive-Intune integration, the Acrobat iOS app introduced a change which results in all users seeing a “Sign in” dialog whether or not the user is signed in. This change impacts all users and requires that an Admin execute the signin/acceptance workflow on behalf of all users. The admin should:

  1. Open managed Acrobat.

  2. Click OK when the Sign in dialog appears.

  3. Complete the sign in workflow.

All users will now be able to use Acrobat without seeing the sign in dialog.

_images/msaccept.png

Enrolling users

You may make Adobe apps available to users via your preferred methodology, but with in-app Intune enrollment available, end users typically just download the app from the App Store.

Instruct your users to do the following:

  1. Install and open the app.

  2. Tap the profile icon > Preferences.

  3. Go to Microsoft Intune > Enroll, and toggle the feature on.

  4. When the Microsoft sign in screen appears, complete the enrollment process.

_images/intunesetting.png

Admin deployment

The settings described here behave differently when applied in MDM or MAM configuration policies. In both cases, files can either be personal (unmanaged) or work (managed) depending on their origin.

To configure a policy via Intune:

  1. Download Acrobat Reader (the latest version is always recommended).

  2. Download the latest XML definition file.

  3. Create a device or application configuration policy.

  4. Open the XML file, and copy each of the needed values shown below into Intune’s policy console (see the table below). DO NOT try to consume the XML file.

  5. Set the values to True or False.

  6. Complete the policy configuration workflow.

_images/intuneconfigpolicy.png

The Intune console provides a number of configuration options. The following table lists only those features provided by DC Acrobat Reader. Interactions between Intune and device settings as well as managed and personal files can be complex. Configurations will vary across environments, and there is some nuance to what these setting mean:

  • Products like Document Cloud and Dropbox offer multiple services. While the settings below cannot disable those services, they can block file system access which is usually required to complete a workflow for a particular service. For example, ExportPDF requires access to the Document Cloud file system (for saving), so blocking access to that system essentially disables ExportPDF.

  • “Managed” and “Unmanaged” are not synonymous with “blocked/unblocked” or “secure/unsecure”. The net effect of your settings may depend on other Intune policy settings, including what you’ve enabled/allowed for other apps.

Configuration values

Field

Description

Notes

allowOpenFromManagedToUnmanaged

Default=*true*. Allow managed to unmanaged operations.

When allowOpenFromUnmanagedToManaged is also true, unmanaged file systems are available. Users can save managed files to unmanaged locations such as Document Cloud and Dropbox. Previously blocked features such as copy and paste, print, share, print, and Spotlight indexing are also permitted.

allowOpenFromUnmanagedToManaged

Default=*true*. (Note: The default is false when Microsoft Intune’s Allow user to save copies to selected services is enabled. Allow unmanaged to managed operations.

When allowOpenFromUnmanagedToManaged is also true, unmanaged file systems are available, and users can save unmanaged files to managed locations. For example, a user could open an unmanaged Document Cloud or Dropbox file then save it to a managed file location. This policy controls the availability of managed Acrobat to open and copy unmanaged files to managed locations, copy unmanaged clipboard contents and paste into managed files, share managed files, use the document picker

allowDocumentCloudToBeTreatedAsManaged

Default=*true*. Allow Document Cloud as a managed file system.

When allowOpenFromUnmanagedToManaged is also true, unmanaged file systems are available. Not all clients on Document Cloud are managed, and by using it, you expose yourself to leakage through other applications. If Document Cloud should be unmanaged and unavailable in managed Acrobat, set this preference as well as allowOpenFromManagedToUnmanaged and allowOpenFromUnmanagedToManaged to false. Doing so blocks all DC services such as Export, Create, Compress, Combine, or other operations that place the output file on Document Cloud.

allowDropboxToBeTreatedAsManaged

Default=*true*. Allow Dropbox as a managed file system.

If this should be unmanaged and unavailable in managed Acrobat, set this preference as well as allowOpenFromManagedToUnmanaged and allowOpenFromUnmanagedToManaged to false.

allowDropboxTeamsToBeTreatedAsManaged

Default=*true*. Allow Dropbox Teams as a managed file system.

If this should be unmanaged and unavailable in managed Acrobat, set this preference as well as allowOpenFromManagedToUnmanaged and allowOpenFromUnmanagedToManaged to false.

allowGoogleDriveToBeTreatedAsManaged

Default=*true*. Allow Google Drive as a managed file system.

If this should be unmanaged and unavailable in managed Acrobat, set this preference as well as allowOpenFromManagedToUnmanaged and allowOpenFromUnmanagedToManaged to false.

allowOneDrivePersonalToBeTreatedAsManaged

Default=*true*. Allow OneDrive as a managed file system.

If this should be unmanaged and unavailable in managed Acrobat, set this preference as well as allowOpenFromManagedToUnmanaged and allowOpenFromUnmanagedToManaged to false.

allowOneDriveBusinessToBeTreatedAsManaged

Default=*true*. Allow OneDrive Business as a managed file system.

If this should be unmanaged and unavailable in managed Acrobat, set this preference as well as allowOpenFromManagedToUnmanaged and allowOpenFromUnmanagedToManaged to false.

_images/intunemanage1.png

Permissive file access example

_images/intunemanage2.png

Exiting device management (un-enrolling)

To exit the managed state:

  1. Open Acrobat.

  2. Tap the profile icon > Preferences.

  3. Go to Microsoft Intune > Enroll, and toggle the feature off.

Acrobat Android

You can configure and manage Acrobat on Android using Intune’s default properties. End users can enroll and unenroll directly from their device by signing in and out of any managed app or the Intune Company Portal.

Note

Enterprise restrictions do not apply to personal documents when Acrobat is in managed mode (the Intune Company Portal is installed the the user is signed in). When managed, only enterprise files are subject to the admin’s specified restrictions.

_images/intuneconfig_android.png

System requirements

  • Android 5.0+

  • Acrobat Reader (latest version preferred, 19.6.0 version is required)

  • Intune Company Portal app on the device.

Admin deployment

To configure a policy via Intune:

  1. Create a device or application configuration policy.

  2. Configure any available settings which appear in the Intune UI. Unlike iOS, there are no manual configurations, so the Intune Console displays all available options.

  3. Choose OK.

_images/intuneandroid.png

Enrolling users

End users must do the following on their device:

  1. Install the Intune Company Portal.

_images/androidintuneportal.png
  1. Open the Intune Company Portal.

  2. Sign in to the Intune Company Portal app or any other Microsoft app that’s managed. Users cannot sign in via Acrobat Reader as Microsoft sign-in is not supported from the app.

  3. If there is a company sign in screen, complete the workflow.

After the sign in process completes, the app automatically registers the device with the organization and enforces the Intune policies.

Tip

Users can verify enrollment by tapping the profile icon > Preferences. An “Enrolled” status appears under the “MICROSOFT INTUNE” heading.

_images/androidintunesignin.png

Enforcing policies without enrollment

In a MAM context users can switch in and out of the Intune managed environment even when the device is not enrolled. When not signed in to their work account, they can use the app in an unmanaged way without Intune policy enforcement. Once signed in, the app is subject to the configured policies. This scenario allows end user to work on their device as usual when not accessing the enterprise data while at the same time allowing IT to protect enterprise data as needed.

  1. Install the Intune Company Portal app.

Note

Do NOT sign in as that places the device in managed state.

  1. Install Acrobat Reader.

  2. Sign in to the Intune Company Portal app or any other Microsoft app that’s managed. Users cannot sign in via Acrobat Reader as Microsoft sign-in is not supported from the app. After sign-in, the app logs in to the Microsoft account and enforces the Intune policies.

Exiting device management (un-enrolling)

To exit the managed state:

  1. Open the Intune Company Portal app.

  2. Sign out.

  3. Restart Acrobat (required). Acrobat automatically unregisters from Intune.

Intune FAQs

How do I allow Acrobat to open enterprise documents?

Your admin should provide instructions, but in general:

  • Android: Install the Intune Company Portal and sign in to the Portal or any other managed app. Signing in to Acrobat is not part of the enrollment process.

  • iOS: Go to Settings > Preferences. Under the Microsoft Intune section, enable Enroll. When the Microsoft login dialog appears, log in.

Does signing in to Acrobat allow access to enterprise (managed) files?

No. See above.

Can I sign in to Acrobat with my personal ID and enterprise ID?

Yes, you can sign in with either ID type, but with only one at a time. However, what ID you use is unrelated to how Intune manages files. Your admin manages apps and file locations via Intune. How you sign in to Acrobat has nothing to do with whether a file is managed.

Note that previous releases provided Intune and non-Intune versions of Acrobat. There are no longer separate installers and Acrobat sign in.

How does signing in to Acrobat with a personal ID or enterprise ID affect my files?

It doesn’t. Whether a file is managed or unmanaged depends on what apps and file locations your company can manage through Intune.

What apps and locations can be managed?

You IT organization decides what’s managed, but not all apps are subject to Intune management. One Drive and Sharepoint cloud storage can be managed. Local files may be managed depending on the app and account they are opened from. Document Cloud (Adobe’s DC storage service) is currently not subject to Intune management.

Why are my personal files subject to Intune restrictions?

Your IT organization specifies what apps and file locations are managed. Files originating from managed locations are subject to Intune’s restrictions.

Can Acrobat open unmanaged and managed files?

Yes. Acrobat automatically knows what apps and locations the admin controls (has specified as managed). Files that originate from managed locations are managed and are subject enterprise restrictions. Personal files from unmanaged locations/apps have no restrictions.

How can I exit (disable) enterprise/managed mode?

  • Android: Uninstall the Intune Company Portal, or sign out of the portal.

  • iOS: Go to Settings > Preferences. Under the Microsoft Intune section, disable Enroll.

Note

Performing this action deletes all enterprise files from all managed apps.

What is multi-identity?

Acrobat supports multi-identity which simply means that it knows whether a file should be managed file or not; in other words, it distinguishes between enterprise and personal files based on Intune settings.

When was multi-identity implemented?

January, 2020 on Android. February, 2020 on iOS.

How does the mobile app manage sign in tokens?

Sign in tokens are managed by Microsoft Intune.

What is the refresh time before sign in is again required?

That is a setting in the Microsoft Intune console.

Does Acrobat encrypt content on the mobile phone? Where is it stored?

Yes. iOS provides standard app container encryption.

Are there separate Acrobat Intune installers for Intune?

No.

When the device or app is in a managed state, is Scan integration enabled?

Yes. Integration with the DC Scan App remains functional.