Acrobat Reader DC – 3 ways to lock down the cloud

  • Sumo

The Cloud and Acrobat Reader DC

Adobe’s Acrobat DC and Acrobat Reader DC were released earlier this year and, no surprise, the “cloud” is a major feature of the new version.  Saving and retrieving files to the Adobe Document Cloud (the “DC” in Acrobat Reader DC) and Office365/SharePoint has been available for some time.

A new release in October added Dropbox to the mix and there are indications that other services will soon follow.Locking down Acrobat Reader DC Document Cloud

While I am all for cloud services there are times when turning these features off is a plus.  Not every business owner wants all their employees to be able to access company documents while outside the office, for instance.  Confidential information and the cloud don’t always mix well and keeping your internal documents internal is an ongoing challenge.

The default for most applications, and Acrobat Reader DC is no exception, is to turn these cloud integration features on.

Here are three ways you can shut them off.

Adobe Customization Wizard DC

The Adobe Customization Wizard DC is one option.  The wizard allows you to set installation options, including cloud services, and then distribute a custom Acrobat Reader DC installer.

This wizard requires a Windows Installer package which, in turn, requires a distribution license.  This is a great solution for businesses that have already locked down their desktops and laptops and want to push a customized installation out.

This, however, is not usually the case with the small businesses we work with.

Group Policy

Adobe also offers ADM packages for configuring Acrobat Reader DC via Group Policy.  Group policies can be enforced at the user or machine level and can be applied to different groups, however it does require that you have at least one server running Active Directory.

The benefits of this option are:

  • No distribution license required
  • No special installer needed
  • Can be applied to already installed and configured machines
  • Is enforceable and cannot be overridden

For businesses that have a domain controller and are running Active Directory this is the solution of choice.  EDIT – upon further testing I found that the ADM is woefully limited and cannot be used to prevent cloud access.

Registry

The final option is to make some registry changes.  Companies that aren’t a good fit for the Wizard or Group Policy options are in luck.  Adobe has provided all the registry entries you need to lock down Acrobat Reader DC.

For the purposes of this article I will tell you which ones are most important in regards to the cloud.

DISCLAIMER – These instructions are provided as is.  Proceed at your own risk.  Editing the registry can have unintended consequences and we do not take responsibility for any problems that may arise as a result of following these instructions.  Please be sure you understand the implications of editing the registry.  We highly recommend that you backup your registry before proceeding.  For more information see this article.

Disable Adobe Cloud Services (Document Cloud)

Locate and highlight:
HKLM\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown

Add KEY cServices if it does not already exist
Add DWORD bToggleAdobeDocumentServices to KEY cServices
Set bToggleAdobeDocumentServices value to 1

NOTES
This setting does not affect Adobe Send for Signature, preference synchronization, or third party connectors. For the base release, it also did not disable Send and Track; however, it does control Send and Track with the July, 2015 release. To disable all services, use bUpdater. Possible values include:

    0: Enable Document Cloud services.
    1: Disable Document Cloud services.

Disable 3rd Party Integrations (Dropbox,…)

Locate and highlight:
HKLM\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown

Add KEY cServices if it does not already exist
Add DWORD bToggleWebConnectors to KEY cServices
Set bToggleWebConnectors value to 1

NOTES
Allows configuring in-product access to third party services for file storage. Dropbox support began with the Oct. 13, 2015 release. Possible values include:
    0: Enable 3rd party connectors.
    1: Disable 3rd party connectors.

Disable Office 365 / Sharepoint integration

Locate and highlight:
HKLM\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown

Add KEY cSharePoint if it does not already exist
Add DWORD bDisableSharePointFeatures to KEY cSharePoint
Set bDisableSharePointFeatures value to 1

NOTES
Controls the application's ability to detect that a file came from a Sharepoint server, disables the check-out prompt, and removes the SharePoint specific menu items. Possible values include:
    0: Enable SharePoint and Office 365 integration.
    1: Disable SharePoint and Office 365 integration.

These entries will prevent your users from saving files to the Adobe Document Cloud, Office 365/SharePoint and Dropbox (for now, more to come).  In a small business with only a few users the entries can be applied to individual machines one at a time.

If you want to cut down the time it takes to make these changes you can export the registry keys from a computer that has been changed and then import those keys on the remaining computers.

For detailed instructions on exporting and importing registry keys see the following article.

The cloud has been a great tool overall.  The ability to work from anywhere with any device has made workers more mobile.  Sharing documents speeds up business processes.  But enabling all these features without some consideration can lead to problems later on.

The fact that these features are turned on by default is risky and business owners, as if they don’t have enough to worry about already, need to keep this in mind.

As always your questions and comments are welcome below.

Is all this too much for you?  Looking to lock down your network and protect your company documents?  Then give us a call at (866) 753-6279 or send us an email.

I play with computers for a living and I'm from New Jersey. Jealous?

Posted in Technology Tagged with: , , ,
9 comments on “Acrobat Reader DC – 3 ways to lock down the cloud
  1. Brenda says:

    THANK YOU a thousand times. My personal Acrobat Documents were showing up at work! What a ridiculous scenario, and the cock-eyed manner of disabling this feature is JUST LIKE ADOBE, un-user-centric.

    Used the registry method to kill it. Thank you.

  2. Jim says:

    Ever see an instance where these settings are already set, but on a random occasion the end user will still get the sign-in prompt?
    Win7 32-bit
    VMware View Desktop (floating pools with linked clones)
    About 90% on the time these setting do what they should, but from time to time I get an end user that gets this prompt. I verify the reg settings and they are correct, but still see the login prompt.
    Oddly enough, logging out and back into the View desktop seems to correct this. But this is a hassle for the end users.
    Thoughts?

    • I have not seen that. What’s curious is that you say it works 90% of the time. If the settings were wrong then I would assume you’d have 100% failure. If the settings did not appear in the client registry then I would assume there was a GP error. Neither of these seem to be the case. If you run gpupdate /force on the client does it correct the issue? Are there any errors or warnings in the event log around the time the user logs in or when they start Acrobat? That’s where I’d start looking.

      Let me know if you have any other questions or, when you figure this out, let me know.

  3. John Linehan says:

    David – we are currently testing an upgrade to Reader DC in our enterprise. In addition to disabling the Cloud functionality (got it), we’re looking to disable highlighting and commenting. Intent is to use Reader purely for viewing, esp. in the case of controlled documents (doesn’t everyone have ’em?) If the highlights & comments can’t be saved, then I guess it’s harmless to leave them enabled, but as long as there’s a “Save As” option, then this is a potential problem. Is there a way to disable these as is possible w/ Cloud functionality?
    Thanks in advance for your time.

    • As far as I am aware the short answer is “no”.

      The less short answer is that you should be able to achieve your goal with RMS if you want to go down that route. You’d need something like the Foxit add-on, though. I think Azure RMS will work also.

      Without a much more in depth understanding of why this is of concern to you I can’t really suggest any workarounds.

  4. Dano says:

    Great post, thank you for sharing. I wish I had found this before I did my own extensive testing with the ADMX templates for GPO, which were as you stated, woefully limited. It really made me wonder why they wasted their time making them if you can’t control any of the things that one might actually want to, but hey, they’re redesigning their product to be a marketing tool from the looks of things, so it is all too clear that they no longer care about their customers.

    • It is puzzling. Sort of like why GPO for Office 2013 and later doesn’t work on all versions and only on Volume licenses, individual retail apps (standalone Outlook etc) and only some Office 365 offerings.

      Not so puzzling really. But security policies should work across all versions and any player that wants to be in the SMB market shouldn’t require you purchase enterprise licenses to lock down app (or OS) security.

  5. Pretty funny…man! We’re all trying to solve the same problems. Here’s a details post with pictures. http://blog.migrationking.com/2016/08/how-to-disable-cloud-and-3rd-party.html

Leave a Reply

Your email address will not be published. Required fields are marked *

*

Anti-Spam Quiz: