How to configure Group Policy for Adobe Reader XIThe next version Adobe has just released the latest version Acrobat Reader XI. One of the new features of this version is that it now has official group policy support with the release of administrator templates. Update: As you are about to read the Group Policy support for now is some what limited and is not a true group policy setting in all cases. This tool allows you to configure and lock down the UI of a vast number of applications including Adobe Reader but also in house written custom applications. If you want to find out more about how to configure Adobe Reader with Policy Pak then go to http: //www. How to install administrative templates for Adobe Reader XIStep 1. Download and extract the administrative templates from ftp: //ftp. Reader. ADMTemplate. Step 2a (Local adm/admx). Copy the extracted files to C: \Windows\Policy. Definitions including the “EN- US” sub folder folder on your computer you normally edit your GPO’s on. Learn how to create Packages and deploy apps and updates to your end users. Hi Hau, Have you sequenced Adobe Reader X on App-V 5 Beta2? I'm having trouble hiding "Check for Updates" tab. Reply Delete. Just where the heck is StealthPuppy when you need him? Somebody has to talk about Adobe Acrobat Reader DC and App-V. At times it has been hard to sequence Adobe. Step 2 b(Central Store). If you have a central store configured in your environment then copy the files to \\FQDN DOMAIN\SYSVOL\FQDN DOMAIN\policies folder. And your done. Once installed you can see below there are both computer and users based setting in the administrator templates when you edit a new GPO. As you can see below the computer settings are actual “policy” settings and as such do act and behave as normal group policy settings. That is they disable the UI of the program when applied and revert back to the original setting when removed. Below is an example of the “Auto- Complete” UI that has been disabled as shown configured above. If you have ever read my previous blog post How to make Adobe Reader more secure using Group Policy you will know that one of the quickest settings you can do to improve the security of Reader is to simply turn off the rarely used Java. Script functionality. Thankfully this is one of the users settings that is provided in the admin template. But as this is a “Non- Managed” as shown by the black down arrow on the icon next to the setting. This also means that the users can temporarily override the setting as you can see below the UI is not disabled. It also means that when the policy is no longer applied to the computer the setting will not revert back to the original setting. While it is nice that Adobe is finally offering group policy support for its productions the settings that it does provide are somewhat limited. However this is only the first release of the admin templates and hopefully we will see Adobe continue to add more group policy support into all of its production going forward. Additional Information. If you want more information about how to deploy Adobe Reader XI in your environment including how to lock down some of UI then check out Aaron Parkers blog post at http: //blog. Adobe Reader XI Download Links. Program ftp: //ftp. SCCM 2. 01. 2: Application Deployment Detection Methods. This is an article in a continuing series on the new Application model in SCCM 2. You can find a high level overview of applications and how they differ from packages here: http: //www. Detection methods allow the administrator to check software installs to ensure that the application is not already installed. It can also prevent an install of an application if it conflicts with another application that is already installed. Also, during the normal “Application Deployment Evaluation Cycle”, the SCCM client can detect whether an application is installed using these methods, even if the user did not use Software Center or the Application Catalog to install it. Default Detection Types. There are three default ways that SCCM can detect an application. Any of these methods work great, especially given the granularity at which the administrator can define the method. File System. The first method is file system. This method detects whether a file or folder is present on the system. If the file system object is not present, the application is marked as not installed. The administrator can mark it as just being present, or apply logic to say that the file or folder had to have been modified after a certain date or equal a particular file version (just to name a few). You can use the “Browse” button to find the file on your computer. This will pull in all relevant information, such as the file version or modified date. You can also use the “Computer name” box to connect to a remote computer (Windows Remote Management must enabled in your environment for this to work). One important thing to watch is the “This file or folder is associated with a 3. By default, if you are on a 6. SCCM will only verify against “C: \Program Files” or “C: \Windows\system. Program Files (x. Sys. WOW6. 4”. If the application installs to “C: \Program. Files (x. 86)” or puts something in “C: \Windows\Sys. WOW6. 4” and you queue off of that file, SCCM will not find it. When the user attempts to run the application, it will install again, possibly corrupting it or making it unusable. Registry. The second method is registry. The first thing to select here is the hive. You can select any registry hive you want. You can use the “Browse” button in the same way that you can for file system. You simply put the Key path in the “Key” box, and the value in the “Value” box. In the “Data Type” box, select the type of the data the value holds. If you must test for the data in a key, select the “This registry setting must satisfy the following rule to indicate the presence of this application” and fill in the data in the “Value” box. I would caution against using a key in HKEY. This hive is loaded per user, and every user’s CURRENT. Using this hive will work if the application can only be installed per user, instead for all users on a machine. As with the file system method, pay attention to the “This registry key is associated with a 3. This checkbox needs to be checked if you are targeting a key on a 6. HKEY. This method is automatically filled in when using an MSI install type. This method detects whether the MSI product code exists on the system. This method should only be used when dealing with an MSI. If you do not use the MSI install type, you can use the “Browse” button and find the MSI installer to automatically pull the product code. For products that update, but keep the same product code, you can use the “This MSI product code must exist on the target system and the following condition must be met to indicate the presence of this application” options to specify the version of the MSI. A product keeps the same product code if it updates via an . MSP file. It is best to test these before deploying them. Custom Detection. If you cannot adequately detect your application using one of the default methods, you can use a custom script. SCCM determines that the application is installed if the script returns successful. To use a custom script, select “Use a custom script to detect the presence of this deployment type”. Click the “Edit” button to bring up the script window. From the edit window, there are three script types. You can select Power. Shell, VBScript, or JScript, depending on your preference. If you already have the script typed up, you can hit the browse button to find it, and SCCM will import it for you. Again, pay attention to the “Run script as 3. SCCM must execute the script properly for it to detect the application. Logs. It can be difficult to get these methods working if they are complex. There are two logs that you can reference to see what SCCM is doing. They are “Appenforce. Appdiscovery. log”. These will give you detailed information on what exactly SCCM sees when it runs the detection methods, and the subsequent result. Appenforce. log shows the actual install of the program, while the Appdiscovery. These logs can be found in “C: \Windows\CCM\logs” and are viewable using the CMTrace. Summary. While complex, these new detection methods allow administrators to finely tune their installers to ensure that they only get to the devices that need them. Setting these detection methods up correctly will also give you a better count of machines that have something installed. Even if the user does not install the application from Software Center or the Application Catalog, their devices will still register as having the program. This is a huge step forward in software management. This final screenshot illustrates this fact. The application shown here was only converted from a package to an application a week before this article’s writing. All of the machines in this count installed this software before it was converted. These statistics are viewable just be clicking on the application in the SCCM console.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
August 2017
Categories |