Mobile Acrobat and Intune

Intune is Microsoft’s EMM solution that provides both MDM and MAM. As one of Microsoft’s Azure cloud based services, supports app management via policies, reporting and alerts, and other essential enterprise tasks. Acrobat’s support for Intune means you can proactively manage files and features on both iOS and Android. Files can either be managed or unmanaged, and you can also control how these files move from one state to another in a way that complies with your organization’s security policies.

IT has a number of options when setting configuration policies, but note that the behaviors described below will vary across environments since organizations will certainly manage applications, features, and files in unique ways. Since these aspects of your configuration interact with each other, configure policies to comply with your specific needs.

Acrobat iOS

You can configure and manage Acrobat on iOS using both Intune’s default properties as well as custom properties provided by Adobe. End users can enroll and unenroll directly from their device.

_images/intuneconfig.png

Admin deployment

The settings described here behave differently when applied in MDM or MAM configuration policies:

  • MDM: IT can manage the entire device, including any file or app for enrolled users.

  • MAM: IT can manage any targeted app.

In both cases, files can either be personal (unmanaged) or work (managed) depending on their origin.

To configure a policy via Intune:

  1. Download the latest XML definition file.

  2. Create a device or application configuration policy.

  3. Open the XML file, and copy the need values below into Intune’s policy console (see the table below).

  4. Set the values to True or False.

  5. Complete the policy configuration workflow.

_images/intuneconfigpolicy.png

The Intune console provides a number of configuration options. The following table lists only those features provided by DC Acrobat Reader. Interactions between Intune and device settings as well as managed and personal files can be complex. Configurations will vary across environments, and there is some nuance to what these setting mean:

  • Products like Document Cloud and Dropbox offer multiple services. While the settings below cannot disable those services, they can block file system access which is usually required to complete a workflow for a particular service. For example, ExportPDF requires access to the Document Cloud file system (for saving), so blocking access to that system essentially disables ExportPDF.

  • “Managed” and “Unmanaged” are not synonymous with “blocked/unblocked” or “secure/unsecure”. The net effect of your settings may depend on other Intune policy settings, including what you’ve enabled/allowed for other apps.

Configuration values

Field

Description

Example

allowOpenFromManagedToUnmanaged

Allow managed to unmanaged operations

Users can save managed files to unmanaged locations such as Document Cloud and Dropbox. Previously blocked features such as copy and paste, print, share would then be permitted.

allowOpenFromUnmanagedToManaged

Allow unmanaged to managed operations

Users can save unmanaged files to managed locations. For example, a user could open an unmanaged Document Cloud or Dropbox file then save it to a managed file location.

allowDocumentCloudToBeTreatedAsManaged

Allow Document Cloud to be treated as managed.

Not all clients on Document Cloud are managed, and by using it, you expose yourself to leakage through other applications.

allowDocumentCloudFSAndServicesAccess

Allows Document Cloud file system access.

When false, DC cloud storage and services that require access to the DC file system are unavailable.

allowDropboxFileSystemAccess

Allows Dropbox file system access.

When false, Dropbox is unavailable.

Enrolling users

You may make Adobe apps available to users via your preferred methodology, but with in-app Intune enrollment available, end users typically just download the app from the App Store.

Instruct your users to do the following:

  1. Install and open the app.

  2. Tap the profile icon > Preferences.

  3. Go to Microsoft Intune > Enroll, and toggle the feature on.

  4. When the Microsoft sign in screen appears, complete the enrollment process.

_images/intunesetting.png

Unenrolling a user or device

Users unenroll and exit the the managed environment by toggling off the Enroll in Intune preference on their device.

Acrobat Android

You can configure and manage Acrobat on Android using Intune’s default properties. End users can enroll and unenroll directly from their device by signing in and out of any managed app or the Intune Company Portal.

The current Android release does not suppport

  • Distinguishing between managed and personal documents. All files are managed or unmanaged. Such support is forthcoming.

  • Dropbox

_images/intuneconfig_android.png

System requirements

  • Android 5.0+

  • Acrobat Reader (latest version preferred, 19.6.0 version is required)

  • Intune Company Portal app on the device.

Admin deployment

To configure a policy via Intune:

  1. Create a device or application configuration policy.

  2. Configure any available settings which appear in the Intune UI. Unlike iOS, there are no manual configurations, so the Intune Console displays all available options.

  3. Choose OK.

_images/intuneandroid.png

Enrolling users

End users must do the following on their device:

  1. Install the Intune Company Portal.

_images/androidintuneportal.png
  1. Open the Intune Company Portal.

  2. Sign in to the Intune Company Portal app or any other Microsoft app that’s managed. Users cannot sign in via Acrobat Reader as Microsoft sign-in is not supported from the app.

  3. If there is a company sign in screen, complete the workflow.

After the sign in process completes, the app automatically registers the device with the organization and enforces the Intune policies.

Tip

Users can verify enrollment by tapping the profile icon > Preferences. An “Enrolled” status appears under the “MICROSOFT INTUNE” heading.

_images/androidintunesignin.png

Enforcing policies without enrollment

MAM allows users to switch in and out of the Intune managed environment even when they are the device is not enrolled. When not signed in to their work account, they can use the app in an unmanaged way without Intune policy enforcement. Once signed in, the app is subject to the configured policies. This scenario allows users to use their device as usual when not accessing the enterprise data while allowing IT to protect enterprise data as needed.

  1. Install the Intune Company Portal app.

Note

Do NOT sign in as that places the device in managed state.

  1. Install Acrobat Reader.

  2. Sign in to the Intune Company Portal app or any other Microsoft app that’s managed. Users cannot sign in via Acrobat Reader as Microsoft sign-in is not supported from the app.

After sign-in, the app logs in to the Microsoft account and enforces the Intune policies. To exit the managed state, users simply sign out and restart Acrobat (required). Acrobat automatically unregisters from Intune.

Intune FAQs

How does the mobile app manage sign in tokens?

Sign in tokens are managed by Microsoft Intune.

What is the refresh time before sign in is again required?

That is a setting in the Microsoft Intune console.

Does Acrobat encrypt content on the mobile phone? Where is it stored?

Yes. iOS provides standard app container encryption.

Are there separate Acrobat Intune installers for Intune?

No.

When the device or app is in a managed state, is Scan integration enabled?

Yes. Integration with the DC Scan App remains functional.