Manage Acrobat X Pro and Acrobat X Standard using Group Policy
Pretty much everyone has the Acrobat Reader application, but here, we’re going to talk about it’s “bigger (pay version) brothers”: Acrobat X Standard and Acrobat X Pro.
(Tip: If you want to see how PolicyPak manages Acrobat X Reader using Group Policy, then click here and watch the video.)
So, one of the key design goals of Acrobat X Pro and Acrobat X Standard was this security function called “Protected Mode.” It’s a swell idea to help your users be more secure. It's only available in Acrobat X Pro and Acrobat X Standard 10.1.
Here’s a quote, right from Adobe’s blog (which you can see directly if you like by clicking here):
“Acrobat strictly confines the execution environment of untrusted PDF files and the processes they invoke. Based on user preferences when Protected View is enabled, Acrobat assumes either all PDF files or just PDF files loading from untrusted locations are potentially malicious and confines processing to a restricted sandbox.”
But here’s the kicker, it’s not enabled by default. I know! I was shocked too!
So, here’s the blog entry again:
“Protected View is disabled by default to ensure compatibility with existing workflows… but Protected View should be enabled all the time for casual users who interact with PDF files in unsecured environments."
So, how, exactly are you going to ensure Protected Mode is on and guarantee it stays on? Not to mention, how are you going to manage any of the other 1000+ Acrobat Pro X settings using Group Policy? Watch this video to find out:
For some settings, it’s true Adobe has that helpful “Customization Wizard X” utility. That utility can be helpful when you’re rolling out machines and setting up some “baselines.”
Great. But now what do you do after Acrobat has been deployed and your users change your pre-configured settings? Or, you realized you need to change some important default?
Answer: Without PolicyPak, you’re in trouble. Big trouble. If the user changes a setting, that’s it – the user has worked around your desired setting, and now you’ve got a help desk call to deal with, or, worse, a virus that got delivered using Adobe Acrobat when the user turned back on Javascript support.
Don’t be that guy!
Our solution isn’t a mere “ADM” template, it’s a true Group Policy extension, with powerful management and lockdown capabilities. PolicyPak can deliver, lockdown and revoke Acrobat settings – the way you need to using Group Policy.
Our PolicyPak software snaps-in to the Group Policy Editor and mimics the user interface of the Acrobat XPro itself. You can set key settings (like turning off Acrobat Reader updates), like what is seen here:
'))
You can ensure that Adobe’s Enhanced Security is truly (always!) enabled using Group Policy, which makes your whole company more secure, as seen here:
'))
Or ensure minimize options that Acrobat Pro X shows to the user, so they aren’t confused, like what’s seen here:
'))
Without PolicyPak, you’re on the losing side, because users are going to simply steamroll over you. Oops! There goes one now!
Besides, once you’re using PolicyPak to manage Acrobat Reader, you’ll also get to manage all your other enterprise desktop applications the same way: Java, WinZip, Firefox, and any custom applications you have. They’re 100% included – absolutely free.
It’s all included when you’re a PolicyPak Professional customer.
PolicyPak was designed by Group Policy MVP Jeremy Moskowitz – who “wrote the book” on Group Policy, runs GPanswers.com, and lives and breathes Group Policy and enterprise software deployments and desktop lockdown.
When you’re ready to get serious about managing Acrobat X Pro today, PolicyPak is ready for you.
Use the Download or Webinar buttons on the right to request an evaluation. Or call us at 800-883-8002.
Manage Acrobat X Pro with Group Policy Video Transcript
Hi, everybody. This is Jeremy Moskowitz, Group Policy MVP and Founder of PolicyPak Software. In this demonstration, we’re going to learn how to manage Acrobat X Pro using Group Policy and PolicyPak.
Let’s take a look at the problem here. Before I begin here and even try to contemplate the over a thousand settings that they’ve got here, let’s make sure we can agree on something. Right here, I’m running as a regular old standard user. I’m not an administrator, and yet I can do all sorts of stuff that I shouldn’t be able to do.
For instance, if I go over to “JavaScript” here – actually this is something that I should teach my users to do, but probably they wouldn’t know how to do it in the first place – which is we want to teach them to uncheck “Enable Acrobat JavaScript.” It could be used as a potential security hole. I know Adobe says that they’ve probably closed that problem, but I don’t want to be even in the ballpark of a problem. So it would probably be good if it was checked to the then uncheck it.
That’s the first one. Then the more serious one is this “Security (Enhanced)” section here. Adobe’s making a real big deal about this, and they should; it’s a really great thing. But what’s also true is that by default this “Enable Enhanced Security” while this checkbox is on, this radio button – I’m not joking – is set to “Off” by default for “Protected View.” Let me say that again. This very important security feature that Acrobat X Pro has that should be enabled is unfortunately turned off by default. So, gosh, that seems like a real big problem.
OK, let’s leave this area and go on to yet another confusing thing for users, the “Updater” tab. Here you can see the default that is on my installation is “Automatically install updates.” Some people don’t want that set by default, because you as an IT administrator want to deliver the application on your schedule, not them.
If a user – again, I promise I’m just a regular user – they try to click on “Do not download or install updates automatically” and then they click “OK,” well, what’s going to happen? Well, as a standard user, they’re going to get the UAC dialogue prompt in their face. That’s confusing. That’s a call to the help desk. They don’t have administrative rights to do that. That just is all going to end in tears, so we don’t want that.
Let’s go ahead and see if we can solve all three of these problems. I just want to prove that by the way it didn’t somehow magically change underneath the hood. It’s still, in fact, set to “Automatically install updates.” Let’s see, what do we want to do here? We want to uncheck “Enable Acrobat JavaScript.” That’s the first thing we want to do.
The second thing we want to do is to force on this “Enable Enhanced Security.” If a user does uncheck the checkbox and click “OK,” well again, that’s something that they shouldn’t do, right? Then lastly just for this example, we’re going to set this application to “Do not download or install updates automatically.”
Again, there are eight billion other things you can do here in Acrobat X Pro, and PolicyPak does pretty much all of them. If there is another setting here that you need to set for one collection of users or another collection of users, PolicyPak can deliver the setting and also ensure that users won’t work around it. There we go. Let’s uncheck. We’ll click “OK,” and we’ll go ahead close this app. We’ll head on over to my Group Policy Management Console here.
Before we get into the Group Policy Management Console, let’s take a look. We’ve got our “PreConfigured PolicyPaks” here. We’re working on a large collection of them here. We’ve got “Acrobat X (Reader)” which I show in another video, “Acrobat X Pro” which is what we’re about to talk about now. We’ve got “Firefox” and “Flash” and “Java” and “Lync” and “Thunderbird” and just a lot of great applications that you probably have and have always wanted to manage but didn’t know how. But now with PolicyPak, it’s super easy.
What we’ll do is it’s as easy as copying a file. On the left side here, we’ve got our “PolicyPak\Extensions” directory. On the right here, we’ve got “Acrobat X Pro,” the PreConfigured PolicyPak ready to go. It’s literally as simple as copying a file. I already have it there, so I’m just going to recopy it in. But no need, I already have it there. I’m going to take the PreConfigured PolicyPak file and copy it into my management machine. That’s it. We’re done. We are ready to rock.
Let’s go ahead and all of our “East Sales Users” we’re going to “Create a GPO in this domain, and Link it here…” and we’ll call this “Manage Acrobat Pro X Using Group Policy and PolicyPak.” Right click, we’ll click “Edit…” here. Now we’ll dive down under user side “PolicyPak/Applications/New/Application.” What we want to manage is “PolicyPak for Adobe Acrobat Pro” right there. We’ll double click it, and yes there are in fact a lot of settings here.
Let’s go first for “Updater.” What we want to do is we want to “Do not download or install updates automatically.” Maybe you do for some users, that’s fine, and not for others. With PolicyPak, it’s super easy to configure, say, the “East Sales Users” to do it one way and the “West Sales Users” to do it another way.
But you know what, we still saw that UAC account control prompt in our face. Maybe we don’t want users to ever see that. Wouldn’t it be neat if we could right click and "Disable corresponding control in target application"? With that in mind, what’s going to happen is that it’s going to gray out these radio buttons so a user can’t possibly screw it up.
Let’s move on to “JavaScript.” I know that, like I said, it could be used as an attack vector. So what we’ll do is we’re going to uncheck this checkbox. But just unchecking it isn’t enough. We should right click and also "Disable corresponding control in target application" thus making sure that a user can’t work around the setting.
Let’s go over to the “Security (Enhanced)” tab. Once again, if it’s unchecked, we want to make sure it is in fact checked. We want “Protected View” not “Off” but for “All files.” While we’re here, let’s once again right click over and "Disable corresponding control in target application" here, and we’ll also right click and "Disable corresponding control in target application" there. This is all going to be grayed out so a user can’t use it.
One other thing that you may want to do is to minimize things that users have access to. Let me go back to the application real fast. Let’s go back to “Security (Enhanced)” just for fun just for two seconds here.
If I go to “Edit/Preferences…” and go to “Security (Enhanced),” see this “View Windows Trusted Sites” thing? I don't know, but I think this is kind of confusing for users to have to manage on their own. Besides, this is stuff you could configure using Group Policy anyway, so why would we give users the ability to access this here?
So I’ve got an idea. Why don’t we literally remove the button completely so that way it’s not confusing for the user. Let me show you what I’m talking about here. Back in Group Policy over here on my management station, I’m going to right click and "Hide corresponding control in target application." I’m going to remove the UI element so it’s not available for the user. That’s it. I’ve made my settings changes here. I’m going to go ahead and click “OK.”
Alright, and now we’re back here. If we refresh here, we’ll see all the settings inside the Group Policy Management Console that we’re about to configure here all nice and pretty like that. Now that that’s all done, let’s go ahead and go back to our client machine.
We’ll go ahead and run a command prompt here. We’ll run “gpupdate.” Again, we don’t have to run GPUpdate. We could log off and log back on. We could get a new machine. We could change job roles and get different settings. We could be getting a new laptop. We could be logging onto a terminal server or Citrix server or any number of things or just wait a little while, because Group Policy just kicks in in the background about every 90 minutes or so. But I’m running GPUpdate.
Now that that’s done, I’ll go ahead and close this out. Let’s check out our friend “Adobe Acrobat X Pro” here again and see what we find here. Let’s go to “Edit/Preferences…” We’ll go to “Updater” first. Look at what we’ve done. PolicyPak has delivered the setting that says “Do not download or install updates automatically,” and we’ve grayed out the UI. So no more UAC prompts, no more confusion for the user. We’re delivering the setting and locking it down.
Let’s go over to the “JavaScript” guy here. Sure enough, we’ve unchecked it therefore making it more secure and graying the setting out once again. Therefore the user can’t click it. Excellent.
Let’s go over to “Security (Enhanced),” the really big one. There we go. Look at that. We’re delivering a checkbox. We’re guaranteeing that all the East Sales Users are going to have this setting and the “Protected View” is on for “All files.” Remember that confusing Internet Explorer thing that they had available here? We’ve literally removed the UI so a user can’t possibly work around the setting. That’s exactly the point.
So that’s the point of PolicyPak – delivering settings, making you more secure, locking down the UI so a user can’t work around it. We are way, way, way more than an ADM or ADMX file. We are a settings management system. We can deliver any setting, revert it back and also lock it down.
When you’re ready to get serious about locking down not just Acrobat X Pro but all the applications in your environment – Flash, Firefox, Java, all the big ones – we’re here for you at PolicyPak. Just click the big old download button on the right to get started. We’re here for you.
