Update management for Adobe Acrobat Reader

I install Adobe Reader via Group Policy and software assignment. I've been applying MSP-based patches to my Adobe Reader installation points and then instructing client computers to reinstall via the "Redeploy..." functionality in Group Policy. I don't particularly like doing things this way, but it's the least labor-intensive method I can see.

This recent Adobe Reader patch (9.1.2) is MSP-based, so I'm able to deploy it in my usual manner. If Adobe decides to start distributing EXE-based patches, then I've got a problem and have to begin writing scripts. (Hopefully they'll stick to a Windows Installer based patching regime from here on out. We'll see...)

If they do go to EXE-based updates, I'll write scripts to deploy them silently via computer startup scripts. (If you've got the money to pony-up for Microsoft's System Center Configuration Manager, you can use the built-in System Center Update Publisher to deploy these types of updates.)

Having the client computers download patches themselves via the built-in updater functionality in Adobe Reader is useless to me. I need to be able to centrally control the deployment of updates such that I can test the update prior to deployment. Users don't have "Administrator" rights on their computers and can't install any updates themselves anyway. I disable the updater as a transform to the MSI for Adobe Reader.

I've never used a third-party patch management tool, so I can't comment. Patch management tools that claim to automate the patching process have always given me a bit of pause. Tools that do "snapshotting" aren't actually capturing the logic in an installer, and could do the wrong thing under circumstances different than when the snapshot was taken. Tools that "silently install" patches often require the same amount of work that I'd put into writing a script to install the patch anyway. As such, I'm dubious of the effectiveness and reliablity of "patch management" tools over using software assignment, "Redeploy...", and hand-written scripts to deploy patches.

This article was very useful to me in deploying Adobe Acrobat Reader:

Deploying Adobe Reader 9 for Windows.

There are two sections which could be interesting for you. This one:

What To Do About Adobe Updater

Reader 9 continues to include the Adobe Updater application which has been updated to version 6. While I haven’t seen it misbehave for some time and it no longer drops an Updater folder in your Documents folder, you might still want to disable it.

There are a few ways to do this. You can disable Updater by running it (click Help / Check for Updates) then click the Preferences link. You will then see the Preferences dialog, where you can choose to disable Updater.

and the following section

Updating Reader

Updating Adobe Reader can be a bit of a challenge, especially for smaller environments using only Group Policy Software Installation. For Reader 8, Adobe released updates as a complete download of the installer rather than patches. I recommend updating using the full installer as updates for version 9 are released.

If you would really prefer to use the Updater to keep Reader current, you could use the following command in a task using Windows Task Scheduler:

 "%CommonProgramFiles%\Adobe\Updater6\Adobe_Updater.exe" -AU_LAUNCH_MODE=1
 -AU_DISPLAY_LANG=en_US -AU_LAUNCH_APPID=reader9rdr-en_US

Adobe supply a tool to customise the MSI installation of Acrobat, the Adobe Customization Wizard. What we do is to deploy Acrobat/Reader through Group Policy, having first used this tool to customise the MSI to disable all updating, update prompts, etc.

Having done this, we can roll out updated to Acrobat via GP as they're released.

Sadly no, I don't know of any centralised tool that will do this. The above approach will at least let you manage the updates, and stop users complaining about the Adobe Updated popups!

What about using SMS or the new System Center Configuration Manager? I can't afford to play with SCCM but from what I understand it is much easier to deploy / update software than SMS was. It might be worth looking into anyways.

Ultimately I think the best solution is to toss out the idea of 'patching' update and do a remove/re-install with each new update/version. If you want to take the time to wrap the adobe installer as a MSI installer then you could deploy it using GPSI.

If when you say "manager", you're really after update caching, there's a free, open, passive plug-in to the linux-based firewall IPCop called Update Accelerator. You'll not only get your Adobe updates; you'll also get update caching for Apple, Avast, Linux (.deb and .rpm), Microsoft, Symantec, and Trend Micro if you want them. It also supports the ability to add custom sources.

A branch of my organization has been using it for about a quarter with great results (and, may I add, much needed results, as there isn't a ton of bandwidth available to us in Africa). If you like the plug-in but could care less about IPCop, I would just implement IPCop with Update Accelerator, yet neuter the IPCop configuration to the point where it doesn't do anything except direct updates through Update Accelerator.

You mean something like Adobe Update Manager?

A manual/homegrown approach may work:

• Whenever a new update is available, throw it in a shared folder (can be scripted via FTP-Lookup to Adobe-Server I think)
• At a user logon script, check that folder and drive the update, if a new file is there

Greetz, GHad

Edit: I friend of mine recommended the site http://wpkg.org/Adobe_Reader_9 for more information. I didn't read details though (no time), but wanted to share this link