The presentation below is the second in a series that covers topics relevant to IT, this one covers advanced tips and tricks for the Adobe Customization Wizard X. Click on the image preview to open the presentation in another window.
This video is the second in a series that will cover Enterprise Administration of the Acrobat ten family of products.
This second video covers advanced use of the Adobe Customization Wizard. The Adobe Customization Wizard is a free downloadable utility that provides a graphical interface to the Windows Installer for Acrobat and Reader. It was designed to help IT professionals take greater control of enterprise-wide deployments of Adobe Acrobat and Reader. With it you can customize the installer and application features prior to deployment.
If you have not watched part one of this series, I suggest you do so now. Before I begin with the advanced topics, I’ll briefly review the functionality of the Customization Wizard. The Customization Wizard enables IT administrators to modify the installer via a transform file (MST file) without altering the original package (MSI file) and to customize the look and feel of Acrobat or Reader before deployment to meet the unique needs of their users.
Key features include the ability to
- Optimize the behavior of the installer by including silent installation
- Make the serial number part of the installer and custom setup choices
- Remove existing installations of older versions of Acrobat and Reader
- Suppress the display of the EULA and registration prompts
- Preconfigure and lock Enhanced Security settings
Before I begin, I’d like to call your attention to the Preference Reference. The Preference Reference is detailed application-tuning guide that describes configuration settings for both plist files for Mac and the registry for Windows. The Preference Reference is part of the Administrator’s Information Manager and is available via links on the show page or by clicking on the links associated with this video. You’ll want to refer to the preference reference for more detailed information on most of what I talk about in this presentation.
The Wizard’s user interface provides basic options for security configuration. However, you may find that you want to utilize a more manual process to more tightly control how the application is deployed. If you have very specific needs that are not met by the UI in the Customization Wizard panels, I recommend this easy, seven step workflow.
Step 1 – Install a copy of either Acrobat or Reader ten, or use an already configured existing installation. This will configure the registry and create some files on the disk that you may want to deploy so you’ll want to run the Customization Wizard on this machine as well.
Step 2 – Configure the application via its user interface. In particular, go through the Preferences panel by choosing Edit > Preferences and the Security Settings dialog by choosing Protection > More Protection > Security Settings.
Step 3 – Lock down features so that your settings cannot be changed by end users.
Step 4 – Use the Customization Wizard to drag and drop the configured registry to the installer.
Step 5 – Use the Customization Wizard to configure application preferences that were not already configured manually.
Step 6 – Set up file deployment. You may need to deploy additional files that were created when you configured Acrobat such as watermarks, headers, footers, stamps and so on.
Step 7 – You can optionally set up “server based security” to configure Acrobat and Reader to regularly check in with a server for updates to security settings and policies
You are now ready to deploy the application as described in the Customization Wizard documentation.
The rest of this presentation assumes that you’ve already done steps one and two, you’ve already installed Acrobat and configured it to work the way you want the deployed copies to work.
Step 3 is to Lock down features so that your settings cannot be changed by end users.
Preference locking is one of the most effective ways to ensure your Acrobat and Reader installs continue to function the way that you intended when they were deployed. On Windows certain security-sensitive or otherwise enterprise-centric preferences are lockable to prevent editing by end users through the user interface. These include preferences in Hkey Current User that are mapped to registry entries in the Hkey Local Machine FeatureLockdown section. Because they reside in Hkey Local Machine rather then Hkey Current User, modifying them requires administrator privileges.
This slide lists the features that have lockable preferences. You probably don’t need to set every one and I’ve highlighted the settings that are most interesting. Check the Preference Reference for details on how to lock these features and what the effects are.
One feature that I highly recommend locking is Protected Mode or Sandboxing. Protected Mode represents an exciting new advancement in attack mitigation. With Protected Mode enabled, all operations required by the viewer to display the PDF file to the user are run in a very restricted manner inside a confined environment, the “sandbox.” The effect is that even if an exploitable security vulnerability is found by an attacker, Protected Mode will help prevent the attacker from writing files, changing registry keys or installing malware on potential victims’ computers. Protected Mode is enabled by default but it’s not locked in the on position. To lock protected mode on so that end users cannot modify this setting and turn it off, use the Registry panel of the Customization Wizard.
The easiest way to add the proper protected mode lock setting to the Registry tab of the Customization Wizard is to set the Adobe Reader to use protected mode, which is the default and copy it to the HKEY Local Machine FeatureLockDown section. The setting is identical in both places so it’s just a drag and drop, you don’t need to add additional keys.
Step 4 is to use the Customization Wizard to drag and drop the configured registry to the installer.
One of the questions I get most frequently is “how can I preconfigure the quick tools bar?” . It’s pretty easy, in step 2 you configured a copy of Acrobat with the tools that you want displayed in the quick tools bar. Now, using the Customization Wizard, locate the registry key “cFavoritesCommandsDesktop” and drag that into the destination computer window. This technique works with just about every setting, for example, you can also configure which additional panels are listed in the tools area and put additional tools in the toolbar outside of the quick tools area.
In Step 5 you’ll configure any settings that cannot be accessed through the Acrobat or Reader preferences panel or other parts of the UI.
FIPs mode is one such setting.
For customers in the United States, Acrobat and Reader can provide encryption via the Federal Information Processing Standard or FIPS. FIPS is a cryptographic security standard used by the federal government and others who require higher degrees of security. Through registry configuration it is possible to force Acrobat to use only FIPS 140-certified cryptographic libraries. Doing so only affects the editing and not the reading of PDF files, and it only affects encryption and digital signature workflows.
FIPS mode changes Acrobat’s default behavior as follows:
- FIPS-compliant algorithms are always used.
- Self-signed certificate creation is disabled. In FIPS mode, users cannot create self-signed certificates.
- Signing with non-FIPS supported algorithms results in an error message.
- Password security is turned off. Users can apply certificate or Adobe LiveCycle Rights Management Server security using the AES encryption algorithm to a document, but password encryption is disabled.
- When applying certificate security, the RC4 encryption algorithm is not allowed.
- Documents protected with non-FIPS compliant algorithms cannot be saved.
Basically, FIPS mode forces users to conform to the FIPS requirements. FIPS mode can only be turned on by modifying the Windows Registry using the Customization Wizard’s Registry Panel. I’m not recommending that everyone turn on FIPS mode but it is a great use case to demonstrate how to use the Registry Panel. Other settings that cannot be set through the Acrobat UI will use a similar process.
To enable Acrobat to run in FIPS mode, locate the AVGeneral and add a new DWORD value called “bFIPSMode”. Set the value to 1.
Step 6 is to add any additional files that may be required by your workflows.
One of the great new features of Acrobat X is Actions. Actions are a defined series of commands with specific settings that run in a specific order that you are able to initiate in a single step. Because Actions are based on the earlier “Batch Sequence” feature, Action files are still called “sequences”, have a .sequ file extension, and belong in the sequences folder.
Another one of the great capabilities of Acrobat is the ability to extend the functionality through the use of 3rd party plug-ins, similar to Microsoft Office Add-ins. There are hundreds of plug-ins available for Adobe Acrobat that perform a wide variety of additional functions from enabling digital signature pads to integrating with document management systems. Plug-ins are actually .DLL files. However, because they leverage the Acrobat Application Programming Interface or API, they are called .api files and belong in the plug_ins folder.
You apply a stamp to a PDF document much the same way you apply a rubber stamp to a paper document. Stamps are PDF files and you can create custom stamps and deploy them so that they are available to your users. Because stamps are a type of annotation, they are placed in the annotations\stamps folder.
Step 7 is to set up Server Based Security. This step is optional.
For customers who are concerned with document security, the Customization Wizard lets you specify all of the settings you need to deploy Acrobat to be configured in a secure way. You’d need to set up your directory servers and trusted identities in the Security panel…
… then set Signature preferences in the Digital Signatures panel…
… and then still more preferences in the Right Management Servers panel. This is helpful but you can make things much easier on yourself by setting up Acrobat to load security settings from a centralized server, especially if those policies are likely to change over time.
Adobe Acrobat 9.0 introduced Server-based security. Server-based security helps users and organizations migrate existing security settings through version upgrades and across multiple machines. Settings can only be exported from Acrobat but settings can be manually imported by both Acrobat and Adobe Reader. You can deploy Acrobat and Reader to automatically update security settings so you can also use this capability to keep your security settings up to date for the entire time you have Acrobat ten deployed. Acrobat and Reader can be configured to regularly check in with a server for updates to security settings and policies. This “Server-based security” feature is set up by an administrator who provides the URL from which to get security updates. Once the application is configured, Acrobat and Reader will periodically poll the server for updates.
To deploy Acrobat to use server based security, you’ll need to add the registry settings that correspond to the preferences you now see on your screen.
The easiest was to get the registry settings created exactly the way you want them is first to set up a copy of Acrobat to work with the settings you want to deploy out to everyone else and then export your security settings.
You need to begin by exporting the security settings from your already configured copy of Acrobat and Reader.
- To Export your Security Settings…
- Choose Tools > Protection > More Protection > Export Security Settings.
- Choose which groups of settings you want to export and click OK.
- Review and modify the security settings as needed, and then click Export.
- Select the method to use to encrypt the security settings, this is considered optional but I highly recommend it, then click OK.
- Certify the file.
This process exports an .acrobatsecuritysettings file.
Once you have an .acrobatsecuritysettings file, upload it to your server. Test the settings file using a fresh copy of Acrobat or Reader by manually configuring the viewer to Import Security Settings from a server using the preferences dialog. Once you’ve confirmed that it’s working properly, go back to the Customization Wizard.
In the Registry panel of the Customization Wizard, locate HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\10.0\
You will probably need to create the new keys for “Security” and “cDigSig” unless you’ve done so previously. Then simply copy the cCustomDownload key to the destination computer registry by dragging it from the top window to the bottom.
With all steps complete, you are ready to deploy Acrobat.
Please visit the show page for links to an MST file with some of the settings I discuss already set and other valuable resources like…
the Enterprise Administration of the Acrobat X Family of Products page which provides technical documentation and tools for deploying and maintaining Acrobat,
The IT Resources page which has a more comprehensive list of resources for IT including, End-user training and technical support, Licensing options and extending Acrobat products and finally,
The IT Matters blog which hosts the show page and contains articles and news for IT managers and Power Users by me, Joel Geraci, your Acrobat Technical Evangelist.