One of the checkboxes in there allow you to Enable Feature Lockdown by selecting a properly formatted plist. However, creating that plist, properly formatted and with the settings required, is not as trivial as it may seem. Additionally, Adobe has some settings which can be confusing.
I spent more time that I'd like to admit using basic text editors (emacs, textwrangler) to create a plist. Sadly, they all resulted in 'corrupt' plist files. Besides Adobe Customization Wizard DC not reading them in, Xcode also wouldn't see my files as a valid plist, so I can't blame Adobe for that one.
I find it easiest to create a blank plist by using the defaults command.
Once you have a plist, you'll need to edit it. On modern computers, Xcode is the best bet. Property list editor is another option if you have it available. As you may be working with multiple level dictionaries, Plist Buddy is an option, but is not recommended.defaults write /Users/yourname/Desktop/AdobeLockdown.plist adobe -bool NO
Open your plist. If you have Xcode installed, just double-click it.
Select the line that says adobe on it and delete it. That was our placeholder to generate a plist to work with. When you select the line that says 'Root', you'll see a small + sign
that you can click. That creates a new line.Adobe's documentation shows '11' in their examples. That '11' refers to the version number of Adobe Acrobat you are working with. As of this writing, there are two current version, '2015', and 'DC'. DC is their 'Continuous track' while '2015' is a more traditional version scheme. You'll need the software version to match what you put in the key here. Read this link to decide which track is right for your organization.
http://www.adobe.com/devnet-docs/acrobatetk/tools/AdminGuide/whatsnewdc.htmlNoteworthy, DC does not allow you to disable Adobe Cloud sign in or some other features. DC stands for Distributed Cloud and thus online functionality tends to be required.
My organization is deploying 2015 so I created a new key in my plist called '2015'. Set the type to Dictionary. Under that, I created another line, as a child of 2015, called FeatureLockdown.
Again, the type is Dictionary.
Now is the time to start adding your Lockdown Features. They are documented by Adobe at
http://www.adobe.com/devnet-docs/acrobatetk/tools/PrefRef/Windows/index.htmlI found reading the Windows reference was easier as it showed the path needed for the key. For example, if you want to disable rendering of Flash content in the PDF, you'll add a child key to Feature Lockdown called 'bEnableFlash' of type boolean set to NO.
By looking at the HKLM Path, you can see that 'bEnableFlash' comes after FeatureLockdown.
Some features requre parent dictionaries. For example, lets say you want to disable Webmail integration. Looking at the documentation under WebMail, you can see 'bDisableWebmail' has a HKLM Path of "HKLM\SOFTWARE\Policies\Adobe\(product name)\(version)\FeatureLockdown\cWebmailProfiles". To translate that to your plist, under FeatureLockdown, create a new key of type dictionary called 'cWebmailProfiles'. Under that, create a new boolean key called 'bDisableWebmail' set to YES.
Here you can see I also added 'bUpdater' under FeatureLockdown. That prevents Acrobat from updating itself. As I'm in a managed environment, I update Acrobat after it's been tested here.
Interestingly, there is a second control called 'bUpdater'. While the one mentioned above (as a child of FeatureLockdown) references Acrobat's ability to run its built in update mechanism, the second is under Workflows in the documentation under Services integration. This 'bUpdater' setting disables updates to web-plugin components and all services. Below, you can see both bUpdater lines as well as a few other settings I decided to set.
Be careful of some settings, such as 'bToggleWebConnectors' which require a YES to lock it out, while other settings require NO to lock it out. The documentation is critical.
You may notice that many of the settings start with the letter 'b'. That tells Acrobat to expect a boolean (yes or no) setting. Others begin with 'c' which, in Apple terms, is a Dictionary, containing sub entries. You may also see 't' which tells Acrobat to expect a text string for the data type.
Thank you for taking the time to post this. The bits about not using a text editor and bUpdater needing a parent key of cServices in particular.
ReplyDeleteUseful post! Thank you.
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteTodd, thank you for sharing! This is exactly I was looking for.
ReplyDeleteAfter spending hours trying to use the Feature Lockdown plist in Acrobat Pro DC, I finally stumbled upon your blog post. Thanks for mentioning - the following line should be marked bold in Adobe Support Forum:
"DC does not allow you to disable Adobe Cloud sign in or some other features. DC stands for Distributed Cloud and thus online functionality tends to be required."