Adobe's enterprise offerings let your organization, create, collaborate, and deliver on the web, mobile, or desktop with the latest Adobe apps and services. With centralized license management tools and enterprise-level technical support, your IT function is fully equipped to support creative teams at scale.
If you are planning a Creative Cloud or Document Cloud deployment, take some time and consider how to deploy and manage applications, storage, and services. This article covers all the information you require for planning purposes. There are several topics that must consider when you plan your deployment.
- License deployment
- Identity management
- Applications and updates
- Storage and services
- Users, product profiles, and licenses
- Migrating existing users
When you purchase a product from Adobe, a license represents your right to use Adobe software and services. Licenses are used to authenticate and activate the products on the end user's computers.
For more information, see Understand licensing.
Named licensing is useful in the following scenarios:
- If you want to provide access to Adobe-hosted services.
- If you want to use Adobe Admin Console for centralized license and compliance management.
- If you require flexible licensing over time, for example, a designer moving from a video product profile to a web product profile.
- If you want to enable self-service workflows for users to acquire apps and updates.
Serial Number licensing is a historical method of licensing that is not tied to an individual user but to a particular computer. This licensing method is suitable for a very small number of customers and, as with named licensing, can be used to create pre-licensed packages that are deployed remotely. However, when using serial number licensing, customers do not receive the complete value from their Adobe Cloud subscription.
Adobe uses an underlying identity management system to authenticate and authorize users. If you're using named licensing or are planning to provide access to services, using identities is a requirement. Adobe supports three identity or account types; they use an email address as the user name. These identity types are:
- Federated ID: Created, owned, and managed by an organization and linked to the enterprise directory via federation. The organization manages credentials and processes Single Sign-On via a SAML2 Identity Provider (IdP).
- Enterprise ID: Created, owned, and managed by an organization. Adobe hosts the Enterprise ID and performs authentication, but the organization maintains the Enterprise ID.
- Adobe ID: Created, owned, and managed by the end user. Adobe performs the authentication, and the end user manages the identity.
Based on your organizational needs, you can select the most appropriate identity model to implement and use.
You can use Federated IDs, Enterprise IDs, and Adobe IDs in the same enterprise deployment. Remember, when you set up an account using Adobe ID, end users retain complete control over files and data associated with this account. When you use a Federated ID or an Enterprise ID, it is the enterprise that owns and controls this content.
Adobe recommends admins to migrate Adobe ID users to Federated and Enterprise IDs to provide organizations complete control over users and application assets.
Adobe Licensing Website does not support Enterprise or Federated IDs. If you are planning to use serial number licensing, set up all administrator accounts using Adobe IDs. For user accounts, Adobe recommends using Federated and Enterprise IDs.
A directory in the Admin Console is an entity that holds resources such as users and policies like authentication. These directories are similar to LDAP or Active Directories.
To use Enterprise IDs or Federated IDs, start by setting up a directory to which you can link one or more domains.
To set up a directory:
- Create a directory in the Admin Console.
- (Federated ID only) Adobe will provision the directory. This usually takes up to 48 hours.
- If you set up your organization for Enterprise ID identity, you can start linking your email domains to the directory.
- (Federated ID only) After Adobe has provisioned your directory, configure the SAML settings for the directory.
For more information, see Set up identity.
User identities are verified against an authorization source. To use Federated ID or Enterprise ID, set up your own authorization source by adding a domain. For example, if your email address is email@example.com, example.com is your domain. Adding a domain permits the creation of Federated IDs or Enterprise IDs with email addresses on the domain. A domain can be used either with Federated IDs or Enterprise IDs, but not both. You can however add multiple domains.
An organization must demonstrate their control over a domain. An organization can also add multiple domains. However, a domain can be added only once. Known public and generic domains, such as gmail.com or yahoo.com cannot be added at all.
For more information, see Set up domains.
The Adobe Admin Console offers a method for enterprise users to authenticate using their existing corporate identity. Adobe Federated IDs enable integration with a Single Sign-On (SSO) identity management system. Single Sign-On is enabled using SAML, an industry-standard protocol that connects enterprise identity management systems to cloud service providers like Adobe.
When you add users with Federated IDs, automatic emails are not sent to the users. You must plan and communicate with users when you create Federated IDs. If users already have Adobe IDs that use the same email address, see Switch from Adobe ID to Enterprise ID to understand the sign-in procedure and the impact it has on their existing content and application.
If your organization wants to test the SSO integration, you can claim a test domain that you own. Your organization must have an Identity Provider with identities set up in that test domain. This process allows you to test the integration before you claim the main domains, until you feel comfortable with the domain claim and configuration process.
For more information, see Configure Single-Sign On.
For Named licenses, Product Profiles are used to associate licenses with individual users. To assign licenses, add users to a Product Profile. A user can be a member of multiple Product Profiles, and each Product Profile can confer different licenses to the user. The final eligibility of a user is the union of all licenses conferred by each Product Profile.
Consider how to deliver sets of licenses in a way that fits how users are assigned responsibilities in your organization. For example, if all the users in a department need Photoshop, you can create a department Product Profile which confers Photoshop Single App. However, if in a department, web designers need Photoshop and Dreamweaver, while video editors need Premiere Pro and After Effects, use two Product Profiles- one for the Web Designer role, and one for the Video Editor role.
Some users play multiple roles. A user who performs both web design and a video editing can be added to both Product Profiles, conferring the union of licenses from each Product Profile, that is Photoshop, Dreamweaver, Premiere Pro and After Effects.
Product Profiles also make it easy to manage licenses. When users move from a web design role to a video editing role, add the users to the video editing Product Profile and remove them from the web design Product Profile. This changes the activated products for the user and frees up licenses. When Product Profile requirements change - for example, when the video editing Product Profile needs to use Prelude, it can be added to the video editing Product Profile and all users immediately get access to Prelude.
A license is consumed when a user is added to a Product Profile. If a user is a member of two Product Profiles and both confer a license to Photoshop Single App, the user consumes two licenses. To eliminate redundant consumption of licenses, design your Product Profiles. Identify each Product Profile that needs a particular application or set of applications to do their job.
Identify the following:
- Products: The licenses for a product govern which applications and services are conferred to each member of an associated Product Profile.
- Product Profile name: Identify each Product Profile. The labels you choose to identify the Product Profiles are for your own use only. They are not included anywhere in the deployment package, so there are no restrictions on how you name them. In practice, it is better to create Product Profiles based on function, rather than departments or teams.
- Services: Choose from the available list of services for a selected product. For example, Creative Cloud for enterprise includes services such as Adobe Spark and Adobe Fonts.
- Users: Identify the users to add to each Product Profile.
For more information, see Manage products and profiles.
Adobe delivers continuous innovation in the form of features and updates. IT admins can decide how and when these updates are applied. Decide how to deliver these apps and updates to your end users. At this stage, also consider the hardware and software requirements of client computers. Adobe enterprise offerings provide several levels of control on deploying apps and updates. IT admins can choose between empowering users via a self-service workflow or they can opt for a more managed environment where admins can decide what, when, and how products and features get installed.
Like millions of Adobe users, you can allow your users to download and install apps themselves. Users can sign in to www.adobe.com and download and install the desktop apps and access services. Self-service workflows require admin privileges, Internet connections, and Named licensing. Include the Creative Cloud desktop app in the software package that you deploy.
Self-service workflows enable users to download and install apps as and when required. Apps that a user is entitled to get, are provisioned when the user signs in. Other apps can be used as a trial for a limited time. This also frees up admins from creating and deploying multiple packages and updates. For example, self-service workflows are efficient in the following scenarios:
- You have diverse and changing requirements of apps by different users.
- Your users have several hardware and operating system combinations.
- You have remote workers in your organization.
- Different teams and users upgrade at different times, because of ongoing projects.
- You want to reduce the initial footprint on a machine by allowing a user to install only the applications they require, and for as long as they require.
You can create and download pre-configured packages from the Admin Console. These packages can then be deployed to the client machines in your organization. You can perform silent and custom installations. No inputs are required from end users during installation. The deployment packages can be distributed using industry-standard tools such as Microsoft System Center Configuration Manager (SCCM) and Apple Remote Desktop (ARD).
You can create two types of packages: self-service package and managed delivery package. The self-service package contains the Creative Cloud desktop app, which users can use to download and install software. If end users do not have admin privileges on their computers, you can create a Creative Cloud desktop app package with elevated privileges. Or you can create a managed delivery package that contains specific apps and updates.
For more information, see Packaging apps using the Admin Console.
For example, you can use managed delivery of apps for the following:
- To exercise strict control over installed apps on client machines.
- To reduce Internet bandwidth consumption, by preventing multiple self-service downloads.
- When there is no Internet access on client computers.
- To strictly control the versions of installed apps across your organization.
- To modify the update behavior in installed applications.
There are several mechanisms to deliver app updates available to end users. Choose one of the following based on your organization's need.
Users can download and install updates directly from Adobe. This method ensures that your end users have access to the latest updates when they become available. Updates can be downloaded and installed using the Creative Cloud desktop app or using the Adobe Updater included with the apps. For these workflows, the client machines require access to the Adobe servers and admin privileges.
This option is available for both self-service and managed app delivery.
When you create packages, you can choose a managed update delivery mechanism.
- Have client machines install updates via an internal update server.
- Trigger updates remotely using Remote Update Manager. Use this option when client machines don't have admin privileges.
- Create and deploy Update only packages using Creative Cloud Packager.
For more information on managed delivery, see Applying updates.
Storage and services are available for all Creative Cloud for enterprise plans. Storage and services are tied to individual users. Access to storage and services requires using either Federated IDs, Enterprise IDs, or Adobe IDs.
When you assign a user to a Product Profile that includes storage and services, you can choose to enable/disable individual services for that Product Profile. Enabling and disabling services defines what the users of the Product Profile can or cannot access.
For more information, see Manage enterprise storage.
Several Creative Cloud services, rely on the availability of storage with the product. If a product does not include storage, these services are also unavailable. Some services are mandatory, and cannot be switched off. For more information, see Enable or disable services.
You can even select restrictive Asset Settings that limit employees from using specific sharing features within Creative Cloud and Document Cloud.
For Creative Cloud for enterprise plans, access to named licensing, storage, and services require the client computers to access Adobe servers. For these features to work, ensure that your firewall and proxy setup allows access to Creative Cloud service endpoints. See Creative Cloud for enterprise - Network Endpoints and ensure that users can access the required web services endpoints.
For more information, see Migrate from Serial number licenses to named licenses.