Security Hardening Adobe Acrobat DC for macOS

adobepdf

The Security Team is asking me to install the Adobe Acrobat DC (Version 2020.009.20067) package to our macOS laptops. (Mojave 10.14.6)

In addition to simply push the Adobe Acrobat DC package to our macOS laptops, I need to (no sure if it is a custom package, or custom settings, or configuration profile, or policy, or .mobileconfig, or etc.) trying to mimic and do my best to apply all the security hardening requirements coming from this website:

https://www.stigviewer.com/stig/adobe_acrobat_professional_dc_continuous/2018-04-30/MAC-3_Sensitive/

Unfortunately, if you open the above website, all the vulnerabilities solutions are for Windows OS only.

How do I achieve the same on a macOS system?

I was wondering if you have any official Adobe Acrobat Pro guide or pdf or recommendations or tools that can help me to achieve my project.

I did noticed when I install Adobe Acrobat DC on a macOS laptop, 2 .plist files are created:

/Library/Preferences/com.adobe.acrobat.pro.plist

/Users/username/Library/Preferences/com.adobe.acrobat.pro.plist

Are these the files that I need to manipulate in order to achieve my goal? If the answer is yes, reading the website above, how can I determine, just from the Title Description, from each Finding ID, which is the value inside the. plist that I need to manipulate? It is kind of impossible.

If you were me, what would you do?

Thank you so much in advance for your help

Best Answer

I would start with one thing and that’s work on your time to patch in your environment. Measure how many endpoints are out of date and average time to get machines patched once Adobe releases an update (plan on 40 updates a year if you use the core CC suite - 15 if you just deploy acrobat).

  1. You can control it.
  2. It’s something one person can tackle.
  3. It is your best defense to get ready to take next steps on how the quickly patched software is used.

If you don’t have federated ID services, get that next. Then look at Adobe Console to use SSO / federation and then decide if you just manage apps and lock everyone out of Adobe Updates and have a side channel for patching. JAMF and Munki and Fleetsmith (cough, Apple) are the three solutions I would evaluate if you know nothing about MDM. If you know everything about MDM - still evaluate them and then expand to include your current MDM or others that might fit your niche.

Security is a war of attrition and you will never have enough time to train, hire, manage but you can get better at evaluating your biggest gaps, work to close them and then repeat the observe, measure, plan, act, measure, react cycle.

Related Question