Creating a Microsoft App-V Package of Adobe Acrobat Reader DC
Many large enterprises use Microsoft’s Application Virtualization product, App-V, to distribute applications throughout their organization. They do this because they want to isolate the core of the applications from differences in computers and other applications installed, plus they want to pre-configure many of the features prior to deployment. The ubiquitous Adobe Reader application has long been a prime candidate to deploy through App-V, although in the past there were technical issues as Adobe increased the built-in security of the product and these security changes conflicted with App-Vs own efforts to secure the assets. But this is no longer the case, Adobe Reader DC and App-V 5.1 work great together.
Just to be clear, I am talking about the free Adobe Acrobat Reader DC, not other versions. Certain aspects of Adobe Acrobat DC Std and Pro can be challenging for virtualization. Specifically portions of Std and Pro, like the print driver, are still a challenge to virtualize but can be overcome with ingenuity.
Adobe has gotten pretty good at deployment options lately. It would be nice if more software vendors supported the IT Professionals that are responsible for preparing to roll out their software with tooling beyond the MSI command line options the way Adobe does. And they have been doing a great job of working with the App-V team at Microsoft, so there aren’t any significant issues in sequencing Acrobat Reader DC. Here is everything you need to know to do it yourself in four steps.
1. Get a Distribution Agreement from Adobe
If you want to distribute Reader, or a handful of other Adobe products, inside your company you need to apply for a distribution agreement. This is a pretty simple process. You fill in a web form and a short while later you get an email back. But in addition to making you legal, the email also gets you access to the full downloadable installers rather than the ones that download from the internet. You want to download those full installers so that you have full reproduction capabilities and documentation.
2. Get the Customization Wizard for Adobe Reader DC
The Acrobat Customization Wizard DC makes it easy to customize the Reader installer up front, before you try to install the software. Even if you aren’t going to virtualize the product with App-V, it is well worth the effort to customize the installer before you distribute. Just be sure to get the copy for the version of Reader that you intend to sequence.
3. Customize the Installer
I prefer to start the process on a clean machine, which makes the App-V Sequencer VM a convenient place. We’ll revert the machine before sequencing so it is OK to dirty it.
Install the Customization Wizard installer. Start it up. It is built with a ton of documentation on the process, so you might not need this guide, but if you want a simple step-by-step without having to think, read on here…
The documentation explains that you should start by unpacking the exe based installer they supply to get at the MSI files inside. The instructions didn’t work for me, so here is what I did. [Note: The documentation has been updated to correct this.] I downloaded a copy of 7zip and installed that on the sequencer (you could also use any other tool that can crack open an exe installer). Open the file and extract the contents out into a folder on the desktop.
You will find both an msi, the installer for the major version, and a msp patch installer. The latter changes on the minor updates. We will use the Customization tool to work just with the MSI and create a MST transform file that can be applied.
When you use the Customization Wizard tool, it might give you a warning about backing up your files. Create a new folder and copy the MSI file into that folder. Using the Customization Wizard tool, open up the original msi file and ignore the warning.
On the left hand side is a menu for customization areas. Clicking on one will scroll the documentation window to the appropriate page. Some pretty good detail is there to explain things, so I’ll just cover the things you most likely want to change.
Most packagers will want to accept the EULA once on behalf of the company and not bother end users with it. The default installation path is OK with App-V these days as VFS style installations are generally preferred over PVAD style installations.
Here you may want some changes:
- I prefer to make the software the default reader.
- I also want to uncheck the Enable Optimization feature as I don’t want defragmentation occurring on the sequencer.
- I use to let the installer cache in the package for possible self-repair, but since App-V 5 won’t let executable components be written to, you are better off unchecking that box.
- I set the Run Installation setting to Unattended, but that is a personal choice. Reboots shouldn’t be needed for Reader DC during the actual installation if the sequencer image is clean, but should it be needed you want to be prompted. In App-V 5, it is OK to reboot during the sequence.
Files and Folders
The Files and Folders is one where you probably don’t have to do anything. There are some vc runtime files that will be installed if not present on the system, but App-V will have those covered so they won’t appear in the package.
Similarly, you might not need to do anything on the Registry page. The exception would be when you find it easier to install and configure the product natively first, then extract the registry settings with a regedit export to a file. Sometimes that is an easier way to make sure you get things like the security settings right. If you do that, just add the entries on this page.
On the Shortcuts page of the wizard, you probably want to remove the desktop from the shortcut (right click on the shortcut and select remove). Because the name of the shortcut for the start menu is different than for previous versions, it is possible to roll out the DC version using App-V in parallel to an older version (whether that version is virtualized with App-V or is natively installed).
Skip the Server Location page unless you know that you need to add something here.
Setting up the security options is really important at some companies, while others will just skip this page. Read the documentation for details.
If you skipped over the Security page, skip over the Digital Signature** **page also.
I’m sure some customers care about the WebMail Profiles, but suspect that those customers are using the Pro version. If you don’t know why you want to make a change here, move on.
Online Service and Features
On the Online Service and Features page, we run into features that some enterprises do not want.
Self-updating is not supported in App-V 5.1, so you always want to disable the product updates. When you need the updates, you upgrade the App-V package and redistribute. Reader DC has a windows service used for the update, so uncheck the Disable product updates (1, below).
Item 2 on the display is probably more related to security. I’m willing to trust Adobe, but check with your CSO.
The idea behind DC version is that you can do a lot more than just read PDFs. But all of those other things are online, cloud based services. And someone has to pay for them. The Pro version includes all of them, but users can purchase a subscription to just what they need, like PDF to Word“>convert a PDF to Word, rather than purchase the whole suite. For many enterprises I talk to, they want to control these features.
While it might seem that checking the two Disable checkboxes (1 and 3, below) might get rid of the updates and access to cloud features, unfortunately it does not completely do so. If you want to eliminate those features you probably need to find an older Adobe Reader to install instead.https://blog.adobe.com/media_730bf935bd937bbc9f2e30e135f5f6551b06e3a6.gif
Comments and Forms
The Comments and Forms page covers those features. If you select the Auto Complete option, keeping the Remember checkbox unchecked for numeric fields is a good idea to prevent the user from accidentally storing PII data like phone, account, and social security numbers in their profile.
The File Attachments page is interesting. The defaults are probably fine, but it shows how Adobe has had to react to exploits allowing executable components to find their way into PDF files.
Launch Office Applications
Edit the Launch Office Applications page if you need this integration, which is rare. If you need this, you should probably have installed office before running this wizard.
On the Other Settings page, you can set this feature to save ink when printing PDFs. Adobe seems to think this is a good idea, but it could be just another reason for a help desk call.
The Direct Editor page allows you to directly edit the MSI tables. You probably don’t need to.
One example where you might chose to is to disable the arm updater service. We already disabled the updater, but making sure the back-end service is set to disabled will reduce some overhead. Just set DISABLE_ARM_SERVICE to the value 1 is one way, but setting the StartType to the ServiceInstall table entry (shown below) to disabled is another.
I’m sure there are a bunch of other things you can do to tweak the installed package further, but this covers the basics. When you are happy, it is time to save off.
There are two ways to save off your work. Use the second way (File menu).
The first method is to use the Transform menu to save off the MST file. Just name it something like AppV and just place it in the same folder. Technically, it is possible to create individual Transforms to set individual items, and then chain the MSTs together in the combinations you need. While an interesting concept, it probably isn’t worth the hassle and you should just have one MST to link in.https://blog.adobe.com/media_eeed13327e6158af69b13d59abe95d268e4c1bbb.gif
The second method is to use the File menu and save in the same folder as the MSI also. This creates an mst file with the same name as the msi, plus it also edits the setup.ini file, so you won’t have to remember the syntax to run the msi with the msp and mst on a single command line.
Here are the updated files. I’m not sure what the .ref file is, but it causes no harm.https://blog.adobe.com/media_fee3ce57881845e5d400342de23b95143575050f.gif
Save off this folder as your customized installer. You’ll want to pop it up to a network share as you’ll then revert the sequencer.
The Sequencing is pretty straight forward at this point! Between pre-customizing the installer, and the great work done between the Adobe and App-V development teams, we don’t have issues today.
You don’t need to PVAD the installer. Just run the setup.exe without arguments when in monitoring mode and your administrative install will complete without further input, using your MST file and the msp patch installer. I suppose you could clean out the cached installer or restrict the package to certain operating systems, but otherwise no special settings or edits should be necessary, just save off the package.
Caveats and Options
The Application Capabilities feature of the installer requires publishing globally, but you can probably live with hard coding of Reader DC as the default for pdfs.
To get the benefits of browser integration, the browser must run in the virtual environment. Without this, when the user clicks on a PDF on a web page, Reader DC will open as a separate application and window to display the PDF; with this the PDF displays inside the browser window using the COM interface connected via browser plugin. Use of App-Vs Connection Groups and/or RunVirtual is recommended to achieve this tight integration.