This week I was testing the new Acrobat Reader for iOS and Android on devices where we use App Protection policies to protect the corporate data of my customer. Great to see that Adobe embraced Microsoft Intune so that the Acrobat Reader can be used to read and annotate corporate PDFs when you don’t have OneDrive for Business implemented within your company.
Like said, I have spent some time testing this week, the activation is slick. When you first open a PDF from Outlook you will be forced to authenticate with your corporate UPN to enable the Intune protection. You can also use an option in the Settings of the app to enable Intune.
While enabling the Intune protection via the App Protection policies, you get the normal dialogs to restart the app and to configure the PIN to lock down the app. (of course if you configured this) After enabling the Intune protection, copy paste protection is instantly working and all looks fine, but unfortunately the app has some flaws in the data protection.
When you have a personal Adobe Document Cloud account enabled within the Acrobat Reader you are not prohibited to save corporate documents to the Adobe cloud. In the past without the option to filter out non managed apps, via the Open-in/Share filtering option, you were ensured that the document was encrypted and only the Intune managed application could read the document.
Unfortunately when saving the document to the Adobe Cloud it is not encrypted in any way and you can easily open the document via the webbrowser on a non managed device.
yourself in my next video on my Enterprise Mobility Tips YouTube channel.
For now my advice is to remove the Acrobat Reader app from the Targeted Apps in your App Protection Policies if your company needs to control data leakage!
One side note is that the Intune support on the Adobe Acrobat Reader app on Android was not available yet. I will update as soon as it is available, but for now disable support…
Be aware, if you have selected the Adobe Acrobat Reader for Intune in an earlier stage as a targeted app, the new app is automatically selected in your App Protection Policies!
Update 6th of September 9.38pm;
Adobe is allowing to configure the Adobe Acrobat Reader via App Config. (Thank you Mark Thomas for sharing this information!) To prohibit the usage of Cloud accounts in the Adobe Acrobat Reader we can configure the setting allowDocumentCloudFSAndServicesAccess to false as a workaround.
In my opinion the app should fully support the SDK and prohibit data leakage out of the box without the need of configuring other options. See the following short video how to configure the setting;
Also many thanks to the Microsoft Intune Product Group for reaching out to Adobe and sharing the workaround as shown and described above.
After making Microsoft aware of the issue, the Intune support team shared the workaround to fix the issue on their support site.
If you want to follow the progress of the issue have a look at the links below also shared in the video.
- Microsoft Intune Support blog: https://techcommunity.microsoft.com/t5/Intune-Customer-Success/bg-p/IntuneCustomerSuccess
- Microsoft Intune Support twitter: https://twitter.com/intunesuppteam
Let me know if you have tips/topics you want to see or if you want to add your own tips to this channel!
Also make sure you subscribe to my new Enterprise Mobility Tips YouTube channel!
Thank you and till soon!
I have include Adobe Reader in the scope of my MAM policies, I have manually gone into the Adove reader settings and Enrolled in Intune but I don’t get an option when clicking a PDF attachment in Outlook to open in Adobe? I am using the Policy managed apps with Share filtering option currently.
Thank you for that information. One thing I have also picked up is that when you have a pdf document in say WhatsApp, and you try to share the pdf with other apps, including managed apps, on Android, this turns to open with Adobe Reader. The document is then seen as company data, and you are only restricted to share a copy with only managed apps. I am not sure if you have come across this.
On iOS, I can share directly from within WhatsApp to any app without opening the document with Adobe Reader.
According to Microsoft, “Intune can determine whether you are working on a personal or work document and only applies the company security policies when it senses you are in a work-related document.” How does it do this?