Ensure Acrobat is not running.
What is Microsoft Purview Information Protection?
Microsoft Purview Information Protection (MPIP) is a Microsoft rights management solution that enables a rights-based access to assets including PDF documents. Adobe Acrobat Pro/Standard and Reader desktop apps support consistent viewing of PDFs protected by Microsoft Purview Information Protection. In addition, for organizations standardizing on MPIP, we have launched the native experience to apply and edit Information Protection sensitivity labels and policies to their PDFs within the desktop version of Acrobat Pro/Standard.
For details, see Protect your sensitive data with Microsoft Purview.
Covered in this article:
- Consistent Viewing of MPIP protected PDFs
- Apply and edit MPIP sensitivity labels on PDFs in Acrobat
- Installation and setup
- Admin-defined labeling
- User-defined labeling
- Update and delete labels
- Default and mandatory labeling
- Additional MPIP setup requirements for Microsoft Sovereign Cloud tenants
- Setup requirements for Browser Authentication in MPIP workflow
- Setup requirements for Double Key Encryption labels in MPIP workflow
- Common questions
Consistent Viewing of Microsoft Purview Information Protection protected PDFs in Acrobat and Adobe Reader
Users of Azure Information Protection and other Microsoft Purview Information Protection solutions can use Acrobat or Adobe Reader to read labeled and protected content. For more on Acrobat and Adobe Reader support for viewing such files, see MPIP for Acrobat and Adobe Reader.
Steps to enable document message bar
To enabled the document message bar in MPIP protected PDFs in Acrobat and Adobe Reader, download the latest version of Acrobat or Adobe Reader, and then follow these steps (depending on your OS).
-
In the terminal, run the following commands:
- sudo /usr/libexec/PlistBuddy -c "Add :DC:MicrosoftAIP:ShowDMB array" ~/Library/Preferences/com.adobe.acrobat.pro.plist
- sudo /usr/libexec/PlistBuddy -c "Add :DC:MicrosoftAIP:ShowDMB:item1 bool true" ~/Library/Preferences/com.adobe.acrobat.pro.plist
- sudo /usr/libexec/PlistBuddy -c "Add :DC:MicrosoftAIP:ShowDMB:item0 integer 0" ~/Library/Preferences/com.adobe.acrobat.pro.plist
- sudo killall cfprefsd
- sudo /usr/libexec/PlistBuddy -c "Add :DC:MicrosoftAIP:ShowDMB array" ~/Library/Preferences/com.adobe.acrobat.pro.plist
For end users
If you're an end user, follow these steps to enable MPIP support in Acrobat.
- This feature is available in Acrobat starting from the June release 23.003.20201.1ec7624. If you have not upgraded to this version of Acrobat, your admin will need to enable the feature using the steps given in the section below.
- Enabling Sensitivity labelling also enables the document message bar (DMB) to display label information.
-
Open Acrobat.
-
Navigate to Preferences > Security.
-
Check Enable Microsoft Purview Information Protection, and click OK to confirm your selection.
ملاحظة:The availability of the Enable Microsoft Purview Information Protection option is determined by the registry settings configured by the admin (as described in the Admin section, below). If the registry is set by the admin, this option will be grayed out for the end user. Which means that the end user will not have the option to change the setting in the Preferences dialog, once configured by the admin.
-
Restart Acrobat to apply the MPIP settings.
For admins
As an admin, follow these steps to enable MPIP support in your enterprise environment.
Any MPIP label applied to a document may be updated by the user who has created the document or has appropriate rights to change the labels.
-
If your MPIP admin has applied this setting, you will be prompted to provide a justification for the update.
Choose or enter a justification and click Submit.
The Acrobat document message bar displays the updated label.
You can delete a label from a document that you have created.
-
Click Delete label, and then click Update.
-
If your MPIP admin has applied this setting, you will be prompted to provide a justification for deleting the label.
Choose or enter a justification and click Submit.
The label now does not appear on the Acrobat document message bar, at the top of the PDF.
The MPIP admin in your organization has the option to set up default and mandatory labeling. This means that, depending on these setting, you may be forced to apply labels (mandatory labeling) or the default label may be applied on your PDF if you don't set one (default labeling).
Windows
- Press the Windows key + r to open the Registry editor.
- Go to Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Adobe\Adobe Acrobat\DC\FeatureLockDown.
- Set the value: bMIPCheckPolicyOnDocSave to 1.
- Create a DWORD32 type entry.
- Close the Registry editor.
macOS
In the macOS terminal window, run the following commands:
- sudo /usr/libexec/PlistBuddy -c "Add :DC:FeatureLockdown:bMIPCheckPolicyOnDocSave bool true" /Library/Preferences/com.adobe.acrobat.pro.plist
- sudo killall cfprefsd
Ensure that default and mandatory labeling settings are enabled in the Information Protection policy in Microsoft Purview Compliance Portal.
If your MPIP admin has set up default labeling for your organization, this means that if you don't set up a label, Acrobat will mark the document with the default label when you save the document.
For modified files you will be prompted to apply the default label when saving.
-
Following the steps detailed in the procedures above, to choose an Admin-defined or a user-defined label.
In the procedure to choose a label, if you click Cancel, the document will not be saved. So, when mandatory labeling is enabled, to save the document, you must choose a label.
Say you're working on a PDF with mandatory and default labeling setup. If you save the document without applying a label, you'll be prompted to sign in.
Enter you Microsoft email address and password.
After you sign in, the default label is applied to the PDF. So, when you save the document, the default label appears in the document message bar.
You can update the default label. You can also delete the default label.
As per your organization's policies, you are not required to apply labels. However, if required, may apply Admin-defined or a user-defined labels, as detailed in the procedures above.
When working with the MPIP protected PDFs, you must configure the registry to point Adobe Acrobat or Reader to your Microsoft Sovereign Cloud.
-
For Acrobat
- sudo /usr/libexec/PlistBuddy -c "Add :DC:FeatureLockdown:iMIPCloud integer <value>" /Library/Preferences/com.adobe.acrobat.pro.plist
- sudo killall cfprefsd
For Reader
- sudo /usr/libexec/PlistBuddy -c "Add :DC:FeatureLockdown:iMIPCloud integer <value>" /Library/Preferences/com.adobe.Reader.plist
- sudo killall cfprefsd
ملاحظة:The value of the registry is based on the type of your Sovereign Cloud. Refer to following link to see this mapping of values with Sovereign Cloud type:
- sudo /usr/libexec/PlistBuddy -c "Add :DC:FeatureLockdown:iMIPCloud integer <value>" /Library/Preferences/com.adobe.acrobat.pro.plist
-
Go to the following registry locations:
For Acrobat
- Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Adobe Acrobat\Trunk\FeatureLockDown
- Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockDown
For Reader
- Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Adobe Reader\Trunk\FeatureLockDown
- Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Adobe Reader\DC\FeatureLockDown
And set the following registry entries:
- Registry Type: REG_DWORD
- Name: iMIPCloud
ملاحظة:The value of the registry is based on the type of your Sovereign Cloud. Refer to following link to see this mapping of values with Sovereign Cloud type:
- Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Adobe Acrobat\Trunk\FeatureLockDown
-
Ensure Acrobat or Reader are not running.
-
Keeping the Command button pressed, press the Space bar.
-
In the Search bar, enter Terminal, and double-click Terminal in the left sidebar to open the macOS terminal.
-
In the terminal, run the following commands:
For Acrobat:
- sudo /usr/libexec/PlistBuddy -c "Add :DC:FeatureLockdown:bMIPExternalAuthAdmin bool true" /Library/Preferences/com.adobe.acrobat.pro.plist
- sudo killall cfprefsd
For Reader:
- sudo /usr/libexec/PlistBuddy -c "Add :DC:FeatureLockdown:bMIPExternalAuthAdmin bool true " /Library/Preferences/com.adobe.Reader.plist
- sudo killall cfprefsd
- To disable, use the value false in place of true
- sudo /usr/libexec/PlistBuddy -c "Add :DC:FeatureLockdown:bMIPExternalAuthAdmin bool true" /Library/Preferences/com.adobe.acrobat.pro.plist
-
Ensure Acrobat or Reader are not running.
-
To open Windows registry editor, press the Windows key + r and type regedit.
-
Go to the following registry locations:
For Acrobat:
- Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Adobe Acrobat\Trunk\FeatureLockDown
- Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockDown
For Reader:
- Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Adobe Reader\Trunk\FeatureLockDown
- Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Adobe Reader\DC\FeatureLockDown
And set the following registry entries:
- Registry Type: REG_DWORD
- Name: bMIPExternalAuthAdmin
- Value: 1 to enable or 0 to disable
- Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Adobe Acrobat\Trunk\FeatureLockDown
-
Ensure Acrobat or Reader are not running.
-
Keeping the Command button pressed, press the Space bar.
-
In the Search bar, enter Terminal, and double-click Terminal in the left sidebar to open the macOS terminal.
-
In the terminal, run the following commands:
For Acrobat:
- sudo /usr/libexec/PlistBuddy -c "Add :DC:FeatureLockdown:bEnableDKEAdmin bool true" /Library/Preferences/com.adobe.acrobat.pro.plist
- sudo killall cfprefsd
For Reader:
- sudo /usr/libexec/PlistBuddy -c "Add :DC:FeatureLockdown:bEnableDKEAdmin bool true " /Library/Preferences/com.adobe.Reader.plist
- sudo killall cfprefsd
- To disable, use the value false in place of true
- sudo /usr/libexec/PlistBuddy -c "Add :DC:FeatureLockdown:bEnableDKEAdmin bool true" /Library/Preferences/com.adobe.acrobat.pro.plist
-
Ensure Acrobat or Reader are not running.
-
To open Windows registry editor, press the Windows key + r and type regedit.
-
Go to the following registry locations:
For Acrobat:
- Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Adobe Acrobat\Trunk\FeatureLockDown
- Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockDown
For Reader:
- Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Adobe Reader\Trunk\FeatureLockDown
- Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Adobe Reader\DC\FeatureLockDown
And set the following registry entries:
- Registry Type: REG_DWORD
- Name: bEnableDKEAdmin
- Value: 1 to enable or 0 to disable
- Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Adobe Acrobat\Trunk\FeatureLockDown
When you create a MPIP-protected PDF document through Adobe Acrobat, a splash page is added on top of the PDF. This splash page will be shown to the user when MPIP supported Adobe Acrobat desktop application is not installed. Or, the user opens the PDF file in an application that does not support MPIP.
If the MPIP-protected document is opened in a non-MPIP aware viewer, the following splash screen is displayed.
Yes. If the label has content markings like header, footer, or watermarks, they will be embedded inside the PDF. The content markings will be part of the PDF structure.
Yes. You can clear the currently saved Microsoft account. The next time you apply a label, you will be prompted again for your Microsoft credentials.
The next time your apply a label, you will be prompted to sign in.