Adobe's enterprise offerings let your organization, create, collaborate, and deliver on the web, mobile, or desktop with the latest Adobe apps and services. With centralized license management tools and enterprise-level technical support, your IT function is fully equipped to support creative teams at scale.
If you are planning a Creative Cloud or Document Cloud deployment, take some time and consider how to deploy and manage applications, storage, and services. This article covers all the information you require for planning purposes. There are several topics that must consider when you plan your deployment.
- License deployment
- Identity management
- Applications and updates
- Storage and services
- Users, product profiles, and licenses
- Migrating existing users
When you purchase a product from Adobe, a license represents your right to use Adobe software and services. Licenses are used to authenticate and activate the products on the end user's computers.
For more information, see Understand licensing.
Named License deployment ties the usage of Adobe apps and services to an individual user. Named licensing works well if the product and service requirements are closely associated with a user or a role. Named licensing provides IT admins complete control to add and remove product licenses for a user at any time. It also facilitates better compliance tracking as IT admins don't need to track machines, and can manage licenses centrally. Named licenses require periodic Internet connectivity. Computers must connect to Adobe servers for initial activation, and then at least once every 99 days. End users cannot use mobile apps unless the company deploys named licenses. For example, if the IT Admin uses serialized licenses, end users will be unable to use mobile apps.
Named licensing is useful in the following scenarios:
- If you want to provide access to Adobe-hosted services.
- If you want to use Adobe Admin Console for centralized license and compliance management.
- If you require flexible licensing over time, for example, a designer moving from a video product profile to a web product profile.
- If you want to enable self-service workflows for users to acquire apps and updates.
Serial Number licensing is a historical method of licensing that is not tied to an individual user but to a particular computer. This licensing method is suitable for a very small number of customers and, as with named licensing, can be used to create pre-licensed packages that are deployed remotely. However, when using serial number licensing, customers do not receive the complete value from their Adobe Cloud subscription.
Adobe uses an underlying identity management system to authenticate and authorize users. If you're using named licensing or are planning to provide access to services, using identities is a requirement. Adobe supports three identity or account types; they use an email address as the user name.
Adobe ID is created, owned, and managed by the end user. Adobe performs the authentication and the end user manages the identity. Users retain complete control over files and data associated with their ID. Users can purchase additional products and services from Adobe. Admins invite users to join the organization, and can remove them. However, users cannot be locked out from their Adobe ID accounts. The admin can't delete or take over the accounts. No setup is necessary before you can start using Adobe IDs.
Adobe recommends Adobe IDs for the following requirements:
- To enable users to create, own, and manage their identities.
- To allow users to purchase or sign up for other Adobe products and services.
- When users are expected to use other Adobe services, which do not currently support Enterprise or Federated IDs.
- When users already have Adobe IDs, and associated data such as files, fonts, or settings.
- In Higher Education settings so that adult students can easily retain the same Adobe ID and account content upon graduation.
- If you have contractors and freelancers who do not use email addresses on domains you control.
Enterprise ID is created, owned, and managed by an organization. Adobe hosts the Enterprise ID and performs authentication, but the organization maintains the Enterprise ID. End users cannot sign up and create an Enterprise ID, nor can they sign up for additional products and services from Adobe using an Enterprise ID.
Admins create an Enterprise ID and issue it to a user. Admins can revoke access to products and services by taking over the account, or deleting the Enterprise ID to permanently block access to associated data.
Adobe recommends Enterprise IDs for the following requirements:
- To maintain strict control over apps and services available to a user.
- For emergency access to files and data associated with an ID.
- To have the ability to completely block or delete a user account.
- In all K-12 user settings to ensure compliance with student privacy and other relevant laws.
Federated ID is created and owned by an organization, and linked to the enterprise directory via federation. The organization manages credentials and processes Single Sign-On via a SAML2 Identity Provider (IdP).
Adobe recommends Federated IDs for the following requirements:
- To provision users based on your organization's enterprise directory.
- To manage authentication of users.
- To maintain strict control over apps and services available to a user.
- To allow users to use the same email address to sign up for an Adobe ID.
- In all K-12 user settings to ensure compliance with student privacy and other relevant laws.
You can use Adobe IDs, Enterprise IDs, and Federated IDs in the same enterprise deployment. Use Enterprise or Federated IDs for users where you want to strictly manage the accounts.
Adobe Licensing Website does not support Federated or Enterprise IDs. If you are planning to use serial number licensing, Adobe recommends that all administrator accounts be set up using Adobe IDs.
A directory in the Admin Console is an entity that holds resources such as users and policies like authentication. These directories are similar to LDAP or Active Directories.
To use Enterprise IDs or Federated IDs, start by setting up a directory to which you can link one or more domains.
To set up a directory:
- Create a directory in the Admin Console.
- (Federated ID only) Adobe will provision the directory. This usually takes up to 48 hours.
- If you set up your organization for Enterprise ID identity, you can start linking your email domains to the directory.
- (Federated ID only) After Adobe has provisioned your directory, configure the SAML settings for the directory.
For more information, see Set up identity.
User identities are verified against an authorization source. To use Enterprise ID or Federated ID, set up your own authorization source by adding a domain. For example, if your email address is firstname.lastname@example.org, example.com is your domain. Adding a domain permits the creation of Enterprise IDs or Federated IDs with email addresses on the domain. A domain can be used either with Enterprise IDs or Federated IDs, but not both. You can however add multiple domains.
An organization must demonstrate their control over a domain. An organization can also add multiple domains. However, a domain can be added only once. Known public and generic domains, such as gmail.com or yahoo.com cannot be added at all.
For more information, see Set up domains.
The Adobe Admin Console offers a method for enterprise users to authenticate using their existing corporate identity. Adobe Federated IDs enable integration with a Single Sign-On (SSO) identity management system. Single Sign-On is enabled using SAML, an industry-standard protocol that connects enterprise identity management systems to cloud service providers like Adobe.
When you add users with Federated IDs, automatic emails are not sent to the users. You must plan and communicate with users when you create Federated IDs. If users already have Adobe IDs that use the same email address, see Switch from Adobe ID to Enterprise ID to understand the sign-in procedure and the impact it has on their existing content and application.
If your organization wants to test the SSO integration, you can claim a test domain that you own. Your organization must have an Identity Provider with identities set up in that test domain. This process allows you to test the integration before you claim the main domains, until you feel comfortable with the domain claim and configuration process.
For more information, see Configure Single-Sign On.
For Named licenses, Product Profiles are used to associate licenses with individual users. To assign licenses, add users to a Product Profile. A user can be a member of multiple Product Profiles, and each Product Profile can confer different licenses to the user. The final eligibility of a user is the union of all licenses conferred by each Product Profile.
Consider how to deliver sets of licenses in a way that fits how users are assigned responsibilities in your organization. For example, if all the users in a department need Photoshop, you can create a department Product Profile which confers Photoshop Single App. However, if in a department, web designers need Photoshop and Dreamweaver, while video editors need Premiere Pro and After Effects, use two Product Profiles- one for the Web Designer role, and one for the Video Editor role.
Some users play multiple roles. A user who performs both web design and a video editing can be added to both Product Profiles, conferring the union of licenses from each Product Profile, that is Photoshop, Dreamweaver, Premiere Pro and After Effects.
Product Profiles also make it easy to manage licenses. When users move from a web design role to a video editing role, add the users to the video editing Product Profile and remove them from the web design Product Profile. This changes the activated products for the user and frees up licenses. When Product Profile requirements change - for example, when the video editing Product Profile needs to use Prelude, it can be added to the video editing Product Profile and all users immediately get access to Prelude.
A license is consumed when a user is added to a Product Profile. If a user is a member of two Product Profiles and both confer a license to Photoshop Single App, the user consumes two licenses. To eliminate redundant consumption of licenses, design your Product Profiles. Identify each Product Profile that needs a particular application or set of applications to do their job.
Identify the following:
- Products: The licenses for a product govern which applications and services are conferred to each member of an associated Product Profile.
- Product Profile name: Identify each Product Profile. The labels you choose to identify the Product Profiles are for your own use only. They are not included anywhere in the deployment package, so there are no restrictions on how you name them. In practice, it is better to create Product Profiles based on function, rather than departments or teams.
- Services: Choose from the available list of services for a selected product. For example, Creative Cloud for enterprise includes services such as Adobe Spark and Typekit.
- Users: Identify the users to add to each Product Profile.
For more information, see Manage products and profiles.
Adobe delivers continuous innovation in the form of features and updates. IT admins can decide how and when these updates are applied. Decide how to deliver these apps and updates to your end users. At this stage, also consider the hardware and software requirements of client computers. Adobe enterprise offerings provide several levels of control on deploying apps and updates. IT admins can choose between empowering users via a self-service workflow or they can opt for a more managed environment where admins can decide what, when, and how products and features get installed.
Like millions of Adobe users, you can allow your users to download and install apps themselves. Users can sign in to www.adobe.com and download and install the desktop apps and access services. Self-service workflows require admin privileges, Internet connections, and Named licensing. Include the Creative Cloud desktop app in the software package that you deploy.
Self-service workflows enable users to download and install apps as and when required. Apps that a user is entitled to get, are provisioned when the user signs in. Other apps can be used as a trial for a limited time. This also frees up admins from creating and deploying multiple packages and updates. For example, self-service workflows are efficient in the following scenarios:
- You have diverse and changing requirements of apps by different users.
- Your users have several hardware and operating system combinations.
- You have remote workers in your organization.
- Different teams and users upgrade at different times, because of ongoing projects.
- You want to reduce the initial footprint on a machine by allowing a user to install only the applications they require, and for as long as they require.
You can create and download pre-configured packages from the Admin Console. These packages can then be deployed to the client machines in your organization. You can perform silent and custom installations. No inputs are required from end users during installation. The deployment packages can be distributed using industry-standard tools such as Microsoft System Center Configuration Manager (SCCM) and Apple Remote Desktop (ARD).
You can create two types of packages: self-service package and managed delivery package. The self-service package contains the Creative Cloud desktop app, which users can use to download and install software. If end users do not have admin privileges on their computers, you can create a Creative Cloud desktop app package with elevated privileges. Or you can create a managed delivery package that contains specific apps and updates.
For more information, see Packaging apps using the Admin Console.
For example, you can use managed delivery of apps for the following:
- To exercise strict control over installed apps on client machines.
- To reduce Internet bandwidth consumption, by preventing multiple self-service downloads.
- When there is no Internet access on client computers.
- To strictly control the versions of installed apps across your organization.
- To modify the update behavior in installed applications.
There are several mechanisms to deliver app updates available to end users. Choose one of the following based on your organization's need.
Users can download and install updates directly from Adobe. This method ensures that your end users have access to the latest updates when they become available. Updates can be downloaded and installed using the Creative Cloud desktop app or using the Adobe Updater included with the apps. For these workflows, the client machines require access to the Adobe servers and admin privileges.
This option is available for both self-service and managed app delivery.
When you create packages, you can choose a managed update delivery mechanism.
- Have client machines install updates via an internal update server.
- Trigger updates remotely using Remote Update Manager. Use this option when client machines don't have admin privileges.
- Create and deploy Update only packages using Creative Cloud Packager.
For more information on managed delivery, see Applying updates.
Storage and services are available for all Creative Cloud for enterprise plans. Storage and services are tied to individual users. Access to storage and services requires using either Adobe IDs, Enterprise IDs, or Federated IDs.
To disable all Creative Cloud services and storage, it is essential to let Adobe know about your preference during on-boarding.
When you assign a user to a Product Profile that includes storage and services, you can choose to enable/disable individual services for that Product Profile. Enabling and disabling services defines what the users of the Product Profile can or cannot access.
For more information, see Manage enterprise storage.
Several Creative Cloud services, rely on the availability of storage with the product. If a product does not include storage, these services are also unavailable. Some services are mandatory, and cannot be switched off. For more information, see Enable or disable services.
You can even select restrictive Asset Settings that limit employees from using specific sharing features within Creative Cloud and Document Cloud.
For Creative Cloud for enterprise plans, access to named licensing, storage, and services require the client computers to access Adobe servers. For these features to work, ensure that your firewall and proxy setup allows access to Creative Cloud service endpoints. See Creative Cloud for enterprise - Network Endpoints and ensure that users can access the required web services endpoints.
Named licensing provides several advantages as compared to anonymous or Serial number licensing. Administrators can closely track and monitor the usage of licenses. They can also centrally manage licenses assigned to a user and revoke access to apps and services, without a need to redeploy packages. Named license can also enable self-service workflows to let customers download and install products and updates. Named licenses also enable end users to use cloud services, such as add fonts from Typekit, choose file sync locations, and share and gather feedback on Behance.
For more information, see Migrate from Serial number licenses to named licenses.